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ABSTRACT 


We propose a cryptographic technique for an authenticated, end-to-end verifiable and secret ballot election. 
Currently, almost all verifiable e-voting systems require trusted authorities to perform the tallying process 
except for the DRE-i and DRE-ip systems. We have shown a weakness of the DRE-ip system and proposed a 
solution. We propose a secure and verifiable voter registration and authentication mechanism. The proposed 
scheme prevents ballot stuffing attack. We have modified the DRE-ip system so that no adversary can create 
and post a valid ballot on the public bulletin board without detection. We propose a method for publishing 
the final tally without revealing the tally from individual Direct-Recording Electronic (DRE) machines using 
secure multi-party computation and non-interactive zero-knowledge (NIZK) proof. We propose two methods 
to store these ballots using blockchain and cloud server. To the best of our knowledge, it is the first end-to- 
end verifiable DRE based e-voting system using blockchain. We provide security proofs to prove the security 
properties of the proposed scheme. We prove that the efficient NIZK proof proposed by Lin et al. in APSIPA 
ASC 2019 is not correct since it does not satisfy the witness indistinguishability property of a zero-knowledge 
proof. We introduce an improved NIZK proof that boosts the efficiency of the system. The experimental data 


obtained from our tests show the protocol’s potential for real-world deployment. 


1. Introduction 


Election is a process of establishing the democracy in the country. 
It is also one of the most challenging task, one whose constraints are 
remarkably strict. Each voter should receive assurance that her vote 
is cast as intended, recorded as cast and tallied as recorded. In addition, 
the election system as a whole should ensure that voter coercion is 
unlikely, even when voters are willing to be influenced. There has been 
extensive adoption of Direct-Recording Electronic (DRE) devices for 
voting at polling stations around the world. Starting with the seminal 
work by Chaum, published in IEEE Security & Privacy [1] in 2004, 
research on end-to-end (E2E) verifiable e-voting has become a thriving 
field. Informally, the notion of E2E verifiability refers to have three 
properties: (1) each voter is able to verify if her vote has been cast 
as intended; (2) each voter is able to verify if her vote has been 
recorded as cast; (3) anyone can verify if all the votes have been tallied 
as recorded. By contrast, in traditional paper-based voting system, a 
voter cannot verify how her vote is recorded and tallied in the voting 
process. As with traditional elections, voters go to their polling station, 
prove their eligibility for casting votes by presenting their identity 
card. The voter is given a token [2] that allows her to cast vote for 
her chosen candidate. Therefore, the system depends on trustworthy 
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individual at the polling stations, thus leading to the introduction of 
automated paperless secure e-voting system. In this paper, we propose a 
secure authenticated DRE based E2E verifiable e-voting system without 
tallying authorities. 

Hao et al. proposed a voting system, called DRE-i (DRE with in- 
tegrity) [3], to achieve E2E verifiability without involving any tallying 
authorities (TAs). However, the pre-computation strategy requires that 
the pre-computed data is securely stored and accessed during the 
voting phase. This introduces the possibility for an adversary to break 
into the secure storage module and compromise the privacy of all 
ballots. To overcome this issue, Shahandashti et al. provided a vot- 
ing system, called DRE-ip [4] (DRE-i with enhanced privacy). DRE-ip 
achieves E2E verifiability without TAs and simultaneously a signifi- 
cantly stronger privacy guarantee than DRE-i. However, both DRE-i 
and DRE-ip systems necessitate the requirement of a secure append- 
only public bulletin board (BB). If the BB or the voting machine or the 
private key of the signature is compromised, an attacker can change 
some ballots and add additional ballots as well in such a way that 
it cannot be detected by the DRE-ip tally verification algorithm. The 
private key of the signature might be compromised at the setup stage. 
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In his PhD thesis, Benaloh [5] assumes BBs with a secure append- 
only write operations, also stressing out that “implementing such bul- 
letin boards may be problem unto itself”. Although the assumption that 
the BB is a trusted centralized entity is common in the literature, the 
importance of removing the BB as a single point of failure has been 
extensively discussed in the recent works of Culnane and Schneider [6], 
Chondros et al. [7] and Kiayias et al. [8]. In [8], Kiayias et al. show a 
weakness of the bulletin board proposed in [6] and improve the system. 
However, in [8], for n peers, the minimum number of honest item 
collection peers that receive and store submitted items must be greater 
than 2n/3 to ensure correct behavior of their bulletin board design. 
In [9], Küsters et al. raise awareness of an attack, which they call a clash 
attack, on the verifiability of some of the well-known e-voting systems 
(for example, ThreeBallot and VAV voting systems [10], a variant of 
the Helios voting system [11] and the Wombat Voting system [12]). 
Kiisters et al. show that, if the voting machine and the bulletin board 
collaborate, a bulletin board can replace some ballots by its choice so 
that it cannot be detected. In [13], Benaloh et al. describe their Trash 
attack on some well-known verifiable e-voting systems if the bulletin 
board is compromised. 

Instead of assuming a secure append-only public bulletin board, 
we have modified the DRE-ip algorithm to make it tamper-evident 
and have proposed two methods (depending on how the election 
is arranged) to store the ballots using blockchain and cloud server. 
Since the inception of Bitcoin [14] in 2008, researchers have proposed 
numerous blockchain-enabled solutions for problems in areas such as 
artificial intelligent, big data management [15], internet of things [16], 
5G [17], health-care [18] and shipping [19] etc. A comprehensive 
literature review of blockchain-based solutions can be found at [20]. 
We have measured the costs in terms of Ethereum Gas (and US dollars) 
to verify and store each ballot on Ethereum blockchain. In this case, all 
the ballots and public keys of the system remain tamper-resistant. This 
system prevents coercion even when voters are willing to be influenced. 
For example, voters may collude with an adversary to vote in favor 
of adversary’s chosen candidate and may intend to prove their choice 
of vote after the voting process. Our proposed system uses the expo- 
nential ElGamal cryptosystem to encrypt a vote. The system generates 
two distinct generators of the group whose logarithmic relationship 
is unknown. The system securely deletes the random variable and 
the vote (‘confirmed’ vote) for each voter. Consequently, the voter 
cannot prove her chosen candidate to the adversary. Thus, this kind of 
coercion can be avoided. Normally, some kinds of coercion-resistance 
are also provided by the supervised environment of the polling station 
voting [21]. In addition, since each DRE machine normally covers 
voting process for small regions, revealing the tally from each DRE 
machine discloses the distribution of voters against various political 
parties in small regions. Disclosure of this distribution may impact 
financial investments, economic development and social security of 
those small regions. This is also a breach of voter’s privacy to some 
extent. We propose a secure multi-party computation scheme with non- 
interactive zero-knowledge (NIZK) proof to compute the final tally 
correctly while keeping the tally from each DRE machine secret. 

We also propose a novel method for voter registration and authen- 
tication in a verifiable manner using Fuzzy Vault algorithm [22]. As 
opposed to the traditional biometric based authentication systems, we 
do not store the biometric template (fingerprint) of individual voters. 
There are some privacy and security advantages of our proposed voter 
registration and authentication system. First, we store a biometrically 
encrypted key corresponding to an individual voter from which neither 
the biometric nor the key can be retrieved. The secret key itself is 
independent of the biometric and can be changed or modified. Sec- 
ondly, we do not rely on fingerprint alone for authentication since 
people leave fingerprint everywhere inadvertently. In addition, there 
may be Mafia-owned businesses that collect fingerprint data in large 
quantities if there is any exploit path. Thirdly, we present a two factor 
authentication scheme relying on fingerprint of the voter and a smart 
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card (containing a secret key) given to the voter. Fourthly, our scheme 
is publicly verifiable. We show that the correctness of our system is 
verifiable by the public. As a result, the system thwarts ballot stuffing 
attack. 

Our contributions. Our contributions in this article include the 
following. 


1. We have shown one weakness of the DRE-ip system. An attacker 
can post ballots in such a way that it cannot be detected by 
the tally verification process. We have proposed a solution to 
prevent this attack. 

2. We propose a secure and verifiable voter registration and au- 
thentication mechanism using voter’s biometric information (fin- 
gerprint). The proposed system prevents the well-known ballot 
stuffing attack. 

3. We also propose a method for publishing the final tally when 
multiple DRE machines are used in a regional zone keeping the 
result (i.e. tally) from each DRE machine secret. By a regional 
zone, we mean a constituency from where a candidate is to be 
elected such as a district instead of the whole country. Thus, our 
system hides the distribution of voters against various political 
parties in small areas where DRE machines are used. 

4. Depending on how the election is organized, we propose two 
methods to store the ballots on a public bulletin board. 

5. To the best of our knowledge, it is the first end-to-end verifiable 
DRE based e-voting system using blockchain. 

6. We prove that our scheme satisfies the eligibility verifiability 
property. We also provide security proofs to show that the 
proposed protocol is end-to-end verifiable as well as preserves 
each voter’s privacy and the integrity of the system. 

7. We prove that the efficient NIZK proof algorithm proposed by 
Lin et al. [23] is not correct since it does not satisfy the prop- 
erties of a zero-knowledge proof. We propose an efficient 1-out- 
of-n NIZK algorithm (i.e. the prover Algorithm 3 and the verifier 
Algorithm 4) involving conjunction and disjunction of multiple 
assertions. The security proofs of the proposed efficient NIZK 
proof algorithm are given in Appendix B. 

8. We have analyzed the performance of our scheme involving 
our proposed NIZK proof systems and compared it with existing 
protocols. 


2. Related work 


There has been extensive research on e-voting system over the 
past two decades. Researchers have proposed a number of E2E veri- 
fiable schemes and some of these are used in practice. Notable E2E 
e-voting systems include Votegrity [1] (proposed by Chaum), Mark- 
pledge [24], Prêt à Voter [25], STAR-Vote [26], Punchscan [27], 
Scratch & vote [28], Scantegrity, Scantegrity II [29], Helios [11], Bingo 
Voting [30], Wombat [12], DRE-i [3], DRE-ip [4]. A review of these 
systems can be found in [31]. Many other schemes follow similar 
approaches, in particular, a variant of Prét 4 Voter, vVote, was used 
in 2014 state election in Victoria, Australia [32]. Scantegrity [29] 
was trialled in local elections in Takoma Park, Maryland, USA [33]. 
Helios [11] was used to elect Université catholique de Louvain in 
2009 and it has been used in universities and associations (IACR 
and ACM). Other schemes that have been used in internal univer- 
sity or party elections include Punchscan [27], Bingo Voting [30], 
Wombat [12] and DRE-i [3]. However, almost all DRE based E2E 
verifiable systems require a secure bulletin board. Our system relaxes 
the requirement of secure BB and provides efficient solution using 
blockchain and cloud server. All of the above systems consider voter 
registration and authentication outside of their scope. In our proposed 
system, we have incorporated a secure and verifiable voter registration 
and authentication mechanism using biometric. 
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There are few online internet voting systems based on blockchain. 
In [34], Zhao et al. proposed a voting system using Bitcoin [14]. In their 
voting system, the vote does not need to be encrypted and decrypted. 
Random numbers are used to hide the ballot that are distributed 
using zero-knowledge proof. Tarasov et al. proposed a cryptocurrency 
based voting system in [35]. This system is based on the payments 
that she receives from the voter. The problem with this system is 
that malicious voters may refuse to “pay” the candidate to retain the 
money. Furthermore, a centralized trusted authority who coordinates 
between the candidates and voters must exist. There are smart con- 
tract based internet voting systems [36] based on Open Vote Network 
(OVN), which only support two candidates (“YES”/“NO” voting) and 
voting is restricted to limited (approximately 50) participants. Seifel- 
nasr et al. [37] have proposed improvements to OVN, introducing an 
off-chain untrusted administrator to perform the bulk computations. 
Tivi [38], Followmyvote [39] and The Blockchain Voting Machine [40] 
are commercial internet voting systems that use the blockchain as 
ballot box. They claim to achieve verifiability and accessibility any- 
time and anywhere; however, the voter’s privacy in these systems are 
hard to evaluate. Recently, a blockchain-based voting service has been 
launched by the Abu Dhabi Securities Exchange [41]. In February 2016, 
Nasdaq, in cooperation with the Estonian Government, announced a 
blockchain-based e-voting system for shareholder voting [42,43]. In 
Estonia, a blockchain-based e-voting system has also been proposed 
for internal elections of political parties. In a report [42] by Scientific 
Foresight Unit of the European Parliamentary Research Service, the 
possibility of using blockchain in e-voting systems has been discussed. 
Compared with these e-voting systems, ours does not depend on any 
tallying authorities, and the tallying integrity can be verified by the 
public. In addition, we propose a secure voter authentication mecha- 
nism using biometric (fingerprint) and prove that our scheme satisfies 
eligibility verifiability property. In [44], Gaudry et al. showed two 
attacks on the encryption scheme used in the Moscow internet voting 
system, and in the first attack the authors showed that the used key 
sizes were too small. 


3. Preliminaries 


In this section, we focus on the trust requirements and cryptographic 
assumptions based on which we prove the security properties of our 
proposed protocol. 


3.1. Trust requirements 


We describe our trust requirements that our scheme is expected to 
meet. 


e Voter registration official. Each voter’s biometric (for example, 
fingerprint) template is collected during the voter registration 
phase so that only eligible voters are registered with rights to 
vote. A biometric encryption of the collected biometric data 
is securely stored by the election authority. Voter registration 
information is then displayed on a public bulletin board. The 
voter should check her registration data against her voter ID 
number (and name) on the public bulletin board using her receipt 
(that will be provided during the voter registration phase). Voters 
should raise an issue if their receipt does not match with those on 
the public bulletin board. 

Key management for mixnet server. We use mixnet servers to 
display all voters’ registration data in a public bulletin board. We 
assume that at least one mixnet server is honest and does not 
reveal its secret key. The secret keys of the mixnet servers can 
be distributed among officials using a threshold cryptography. 
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+ Integrity. We assume that the voting machine or the BB may 
alter the voter’s vote or change the tallying results. It may happen 
by accident (for example, due to some software bugs) or by 
malice (for example, due to some adversarial attack). However, 
we require that any such changes will be detected even when the 
machine is completely controlled by an adversary. We prove that 
our scheme meets this requirement. 

Vote secrecy. When a voter selects her chosen candidate on the 
touch screen, the DRE machine learns her vote by definition. This 
is inevitable. We assume that the DRE machine keeps the voter’s 
choice secret. However, we require that when the DRE machine 
is momentarily compromised by an adversary, the adversary will 
only learn the partial tally at the time of compromise and the vote 
currently being cast, but nothing beyond that. We also prove that 
our scheme satisfies this requirement. 


3.2. Assured properties 


The following properties should be fulfilled by an e-voting protocol. 
We prove that the our scheme also satisfies the following properties. 


e Eligibility verifiability. An observer can verify that those voters 
who have completed the registration phase successfully can only 
cast their ballots and there is at most one vote per one voter [45]. 
End-to-end verifiability. As mentioned before, a voting scheme 
is end-to-end verifiable if it has a mechanism to ensure that every 
ballot is cast as intended, recorded as cast and tallied as recorded. 
Voter’s privacy. Over the years, researchers have refined the 
notion of voter’s privacy into following three properties [31]. 

1. Ballot secrecy: The voting system must not reveal the vote 
which an encrypted ballot corresponds to. 

2. Receipt-freeness: The voting system should not provide the 
voter any evidence to prove to a third party how she voted. 

3. Coercion-resistance: The voter should be able to cast her vote 
in favor of her chosen candidate even when she appears to be 
cooperating with a coercer. 


3.3. Cryptographic assumptions 


We first describe some notations that we use throughout our paper. 

Notation. We use the same notations that are used in the DRE-ip 
system. These notations were introduced by Camenisch and 
Stadler [46]. We use Py {A: T = y*} to denote a non-interactive proof 
of knowledge of a secret 4 such that T = y? for publicly known T 
and y. We shorten the notation to Px, {A} where context is clear. We 
use Pyp{A : X,...,Y,Z} to denote a proof of well-formedness of A 
with respect to X,...,¥, Z. We shorten the notation to Py, p {A} where 
context is clear. 

Cryptographic setup. Our proposed system works over an ECDSA 
like group setting or a DSA like multiplicative cyclic group setting 
where the decisional Diffie-Hellman (DDH) assumption holds. In par- 
ticular, we can choose two large primes p and q such that q divides 
(p — 1). Then we choose the subgroup G, of order q of the group 
Z* and assume that g is the generator of G,. q must be greater than 
the number of voters. The decisional Diffie-Hellman assumption [47] 
is given below. We use the DDH assumption to prove the security 
properties of our proposed protocol. 


Assumption 1 (DDH). The two probability distribution {(g%, g’, g”): 
a, b are uniformly and independently chosen from Zi} and {(2%, g’, g°) : 
a,b,c are uniformly and independently chosen from Zi} are computa- 
tionally indistinguishable in the security parameter n = log(q). 


Unless otherwise specified, some notions are defined in Table 1. 
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Table 1 
Notations. 
Notation Description 
M An upper bound on total number of voters 
n The number of candidates contesting the election, n(n >= 2) 
v; The vote corresponding to ith ballot, the value M/~', where j € {1,2,...,n} 
A The secret r; corresponding to the ith ballot 
gi A generator of the group G,, Vi € {1,2} 
U, For the ith ballot, gý 
V, For the ith ballot, gy ely where j € {1,2,...,”} 
T' U; (i.e. gi) corresponding to the ith ballot 
y' It represents g, 
p" V; /gM" corresponding to the ith ballot, where / € {1,2,...,n} 


It represents g,,V/ € {1,2,...,n} 


3.4. Background information 


Protocols for secure E2E verifiable e-voting systems rely on various 
cryptographic primitives or building blocks. In this section, we briefly 
discuss those cryptographic primitives. Over the years, researchers in 
the field of e-voting literature use various public key cryptosystems to 
make their system secure and verifiable. A comprehensive review of 
various public key cryptosystems and their security properties could 
be found in the book by Stinson [48]. We use ElGamal encryption and 
its variation in our proposed e-voting systems. 


3.4.1. Biometric encryption 

Biometric technologies add a new level of authentication to various 
applications; however, there are always risks and challenges related to 
privacy and security of the biometric. Some of technical challenges in 
biometric authentication algorithms include accuracy, reliability and 
security of the biometric. The main privacy and security risk related to 
the biometric technologies is creating a digital artifact of the biometric 
from the stored biometric template data in such a way that it will match 
with the original biometric data, called masquerade attack. Some other 
security and privacy risks include spoofing attack, replay attack, over- 
writing YES/NO result attack, tampering attack, Trojan horse attack, 
substitution attack, misuse of the biometric image (data theft), unau- 
thorized secondary uses of the biometric etc. These kinds of risks limits 
the uses of biometric technologies in practical applications. Biometric 
encryption technologies can enhance both the security and privacy of 
the biometric data. In 1996, Tomko et al. [49] first introduced the 
concept of biometric encryption. A comprehensive review of biometric 
encryption technologies can be found in papers [50-53]. Biometric 
encryption is a technique that either binds a randomly generated key 
with the biometric or generates a key from the biometric. The resulting 
data is called biometrically encrypted key or biometrically encrypted 
data. This biometrically encrypted key is then stored. This key can be 
regenerated only when a correct fresh biomeric is presented. 


3.4.2. Zero-knowledge proof 

Zero-knowledge proof was first introduced by Goldwasser, Micali, 
and Rackoff [54] to prove the truth of a statement without conveying 
any other information. Subsequently, Bellare and Goldreich [55] re- 
fined the definition of zero-knowledge proofs to distinguish them from 
proofs of knowledge. We use Schnorr’s proofs of knowledge of discrete 
logarithm [56]. We then apply the technique proposed by Cramer, 
Damgård Schoenmakers [57] to construct proof of disjunctive, conjunc- 
tive and combination of both. Fiat-Shamir heuristic [58] is applied to 
make the constructed proof non-interactive. The security proofs are in 
random oracle model [59]. The index i of the transaction is embedded 
as input to the hash function to bind the proof to the transaction. In 
this paper, we propose an efficient NIZK proof. The proposed prover 
(Algorithm 3) and the verifier (Algorithm 4) algorithms are described 
in detail in a later section. 


3.4.3. Blockchain 

Since the invention of Bitcoin, research on bitcoin [14] and 
blockchain has become a thriving field. One other blockchain that has 
become highly influential in research community is Ethereum [60]. In 
this section, we briefly describe blockchain. Blockchain uses its peer- 
to-peer network to accept and store the transactions in a decentralized 
fashion. The network stores the transactions by hashing the into the 
ongoing blockchain. While adding a transactions into the blockchain, 
it uses a hash-based proof-of-work mechanism to form a record that 
cannot be changed without redoing the proof-of-work. The longest 
chain in the blockchain network serves as the proof of sequence of 
events witnessed. As long as majority of the CPU power in the network 
is controlled by the honest nodes, they will generate the longest chain 
outpacing the dishonest nodes. In a blockchain’s network, messages are 
broadcast, nodes can leave or rejoin the network at their will, accepting 
the longest chain as a proof of what happened while they were gone. 

Transaction. Each transaction bears the digital signature of its 
owner. Transactions are broadcast and all the nodes agree to accept 
the longest chain of blocks as the current record of the blockchain. 
Transactions are stored in the order in which they were received 
into the blockchain. The structure of a transaction is defined by the 
corresponding blockchain. 

Blocks and hashing. A block may contain several transactions 
arranged in a Merkle tree fashion. The transactions are hashed into a 
Merkle tree and only the root of the tree is included in the block’s hash. 
A cryptographic collision resistant hash function is used to take hash of 
the block and published widely. Each hash includes the previous hash 
in its hash to form a chain with each additional hash reinforcing the 
previous one, and hence any modification in the chain will be detected 
by checking the hash values. Each node checks the hashes of all blocks 
in the blockchain and accepts the longest chain whose hashes match 
correctly. The network avoids double inclusion of the same transaction 
or block that has already been added earlier. 

Proof-of-work. A proof-of-work is a computationally expensive task 
that will be performed by a miner to include a transaction or a block 
into the blockchain. As the blocks are added one after the another 
into the blockchain after performing proof-of-work and the previous 
hashes are included into the current block, to modify a prior block in 
the blockchain, an attacker has to redo the proof-of-work computation 
for that block as well as all the blocks after it in the blockchain 
so that it can readjust all the hashes in the blockchain from that 
block. The exact proof-of-work algorithm depends on the corresponding 
blockchain. In Bitcoin, the proof-of-work system is similar to Adam 
Back’s hashcash [61]. The proof-of-work involves searching for a value 
that when hashed begins with a predefined number of zero bits. There- 
fore, to perform this task, the average work to be done is exponential 
with the number of predefined zero bits; however, it can be verified 
performing only a single hash computation. In Bitcoin, this proof-of- 
work is performed by incrementing a nonce in the block until a value 
is found such that the block’s hash begins with the required number of 
zero bits. Once a block is appended into the blockchain after performing 
this proof-of-work, it cannot be changed without redoing the proof- 
of-work. As new blocks are appended one after the another into the 
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blockchain, modifying a block requires to perform the proof-of-work 
task again for that block as well as all the blocks appended after it in 
the blockchain. 

Network. The network is similar to Bitcoin’s peer-to-peer net- 
work [14]. 


3.4.4. Mixnet 

Consider a set of messages sent by various senders who wish to 
shuffle the messages without reveling the secret permutation. This 
functionality was first introduced by Chaum [62] in 1981 and called the 
protocol as mixnets. Since then, several mixnet protocols are proposed 
in the literature based on different definitions and constructions. These 
mixnets can be classified into two types: heuristics-based mixnets and 
robust mixnets. In heuristics-based mixnets, the shuffling is usually 
done for low latency applications and executed almost synchronously, 
for instance, web browsing. This kind of mixnet protocols maintain 
some level of privacy; however, some mixnet servers may drop or 
corrupt messages, although the impact of this may not be serious. In 
this case, a different set of mixnet servers can be used to perform 
proper mixing. In robust mixnets, the requirements are very strict such 
as inputs messages cannot be modified or dropped. These mixnets 
can be used in applications like voting. The shuffling may take sig- 
nificant time like hours or even a day since the mixing is done in 
large batches. The privacy of the shuffled permutation should also 
be preserved and should be provably secure and protected. In 1990, 
Sako and Kilian [63] proposed a new kind of mixnet protocol with a 
new property, called universally verifiable mixnet. The proof of correct 
shuffling provided by the mixnets can be verifiable by the public or 
any observer of the protocol. Since the generation of the proof for the 
correct shuffling takes a significant amount of time, the efficiency of 
this mixnet protocol decreased. Generally, these kinds of universally 
verifiable mixnet protocols publish all its inputs, outputs and the proof 
of correct shuffling on a public BB so that anyone can verify the 
correctness of shuffling. Neff [64] proposed a universally verifiable 
mixnet protocol that requires 8N exponentiations (not counting bulk 
modexp optimizations). To preserve the privacy and the integrity of 
the system, it is assumed that not all mixnet servers cooperate with the 
adversary. This means that, to preserve the privacy and the integrity, 
at least one mixnet server must be honest who does not reveal its secret 
key and the random permutation to the adversary. 


3.4.5. Secure multi-party computation 

In 1986, Yao [65] proposed garbled circuit representation to per- 
form any secure multi-party computation. In this method, decompo- 
sition of the computation is performed bit-by-bit basis using several 
gates. Although Yao’s protocol can compute any multi-party compu- 
tation securely preserving the secrecy of their input, it is inefficient in 
practice. In 1987, Goldreich et al. [66] proposed the GMW protocol 
to perform secure multi-party computation with honest majority. Ben- 
Or et al. [67] proposed a secure multi-party computation protocol, 
called BWG protocol. BWG protocol defines how to compute addition 
and multiplication on secret shares and is often used with Shamir 
secret sharing schemes. A comprehensive study on secure multi-party 
computation can be found in [68]. 


4. A weakness of the DRE-ip system 


In this section, we recall the DRE-ip [4] system, present one weak- 
ness of the system and provide a countermeasure. We describe the 
DRE-ip algorithm almost verbatim as given in [4]. 
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4.1. The DRE-ip system 


We describe the DRE-ip algorithm for the case when there are only 
two candidates contesting the election. The DRE-ip algorithm does not 
require any tallying authority. Let v; be the vote corresponding to 
the ith ballot, then we have v; € {0,1}. During the setup phase, the 
algorithm chooses two generators g4, g, of the corresponding group G, 
such that their logarithmic relationship is unknown. The DRE keeps 
track of the partial sum s = Yr; for the random numbers r, generated 
on the fly and the running tally t = £v; for the cast (confirmed) vote v,. 
The system incorporates Benaloh-style voter-initiated auditing [69] in 
which the voter gets option to audit their vote generated by the DRE 
to get confidence that the DRE generates the ballot according to her 
vote. An audited ballot cannot be used to cast a vote. At the end of the 
voting phase, the set of total ballots B will be comprised of the set of all 
audited ballots A and the set of all confirmed ballots C i.e. B= AUC. 

Voting phase: This phase involves the DRE, voter and the bulletin 
board: 

1. The voter enters the booth, starts voting and keys in her vote 
v; € {0,1}. 

2. The DRE generates random r; € Z, and computes U; = ae Vi, = 
85 83> Pwr lV; € 8182 U;} 

The DRE provides a signed receipt including the unique ballot index 
i and contents of the ballot U;, V,, Piy p {V;} to the voter. 

3. The voter notices that the first part of the receipt is provided, 
then she chooses to either audit or confirm her vote. 

In case of audit: 

4. The DRE adds i to the set of audited ballots A and provides a 
signed receipt to the voter. The receipt is clearly marked as audited 
including r; and v;. 

5. The voter takes and keeps the receipt. The voter verifies that v; 
reflects her choice. If the verification succeeds, the voting continues 
from step 1; otherwise if the verification fails, the voter should raise a 
dispute immediately. 

In case of confirmation: 

4. The DRE adds i to the set of confirmed ballots C. The DRE updates 
the tally and the sum: t = È jec vj and s = Vice rj. 

The DRE provides a signed receipt, clearly marked as confirmed to 
the voter. The DRE securely deletes r; and v;. 

5. The voter leaves the polling booth with her receipts. 

6. The DRE posts all receipts provided to the voter on the bulletin 
board. 

7. The voter matches her receipts with those on the bulletin board 
to verify that her receipts are posted on the bulletin board. 

Tallying phase: This phase involves the DRE, the bulletin board and 
the public: 

1. The DRE posts the final tally ż and the sum s on the bulletin board. 

2. The public: 

- verify that all the well-formedness proofs on the bulletin board are 
correct (well-formedness verification); 

- verify that, for all audited ballots on the bulletin board, U, and 
V, included in the first part of the receipt are consistent with r;, v; 
provided in the second part (along with the system parameters g], g2) 
(audit consistency verification); 

- verify that following equations hold (tally verification): 


[14 = si and Tyee % = 838; 
jec 

If at any point during voting phase or tallying phase, any of the 
verification by the voter or the public fails, the election stuff should 
be notified. These include step 5 (for the audited votes), step 7 of 
the voting phase and step 2 of the tallying phase. The proof of well- 
formedness Py -{V; : g),8,U;} can be implemented as Pyp{V;} = 
Par; : (U; = AV, = 8) VU; = AV /82 = 85}. Pwr {Vi} isa 
non-interactive zero-knowledge proof of well-formedness of the ballot. 


S. Panja and B. Roy 


Table 2 

DRE-ip bulletin board. V, € VARA g2} s is the 
sum of all random variables of confirmed ballots 
and ż is the final tally. 


Initial: g,, g 


i: Up V Pør {Vi} audited, r,, v; 
j: U;,V;, Pwr {V;} confirmed 
Final: t, s 

Table 3 


Additional ballots added by an adversary. 


Initial: g,, g, 


j+1: U, Vi, Pyr {V1} confirmed 
j +2: Uz, Vz, Pyr {V2} confirmed 
j+k: Up, Vo Pwr {Ve} confirmed 


Final: t + k.v, s 


The DRE-ip system records each audited and confirmed vote on the BB 
in a tabulated form given in Table 2. 

The Theorem 1 in [4] analyzes the security of the DRE-ip algorithm. 
The Theorem | states that, in DRE-ip, assuming that all proofs of well- 
formedness are proofs of knowledge, if the public well-formedness and 
the tally verification succeed, then the reported tally is the correct tally 
of all confirmed votes on the bulletin board. 

In [4], Shahandashti et al. also consider an intrusive adversary that 
apart from the ability to determine an arbitrary number of votes, gets 
read access to the DRE storage for a period during the voting phase. 
The authors consider that the adversary can control arbitrary number 
of voters, hence in effect she can cast an arbitrary number of votes. 
During the access period, the adversary is able to observe the votes 
cast and read the partial tally ż and partial sum s. 

The Theorem 2 of the paper [4] analyzes the ballot secrecy in 
case of an intrusive attack. It states that, in DRE-ip, assuming that all 
proofs of well-formedness are zero-knowledge, if the DDH assumption 
holds, then an adversary that determines an arbitrary number of votes 
and gets temporary read access to the DRE storage cannot get any 
information about the non-adversarial votes cast before and after the 
adversarial access period other than their partial tallies. 


4.2. Analysis of the protocol 


(1) Weakness. If the voting machine and the election authority 
collaborate, the following attack is possible. The election authority who 
is responsible for publishing the total number of voters cast their votes 
in the election needs to increase the total count of cast votes. The 
attacker can add some valid ballots in favor of her chosen candidate at 
the end of the bulletin board in such a way that it cannot be detected 
by the DRE-ip tally verification algorithm. 

Suppose an attacker would like to add some ballots in favor of her 
candidate. The attacker can choose some random numbers r1,1r3,..., fk 
from Z, such that a ır; = 0 (mod q). The attacker generates encrypted 
ballots of the form ((j + i: U;, V, Pwr {V; Y), confirmed), where U; 
gyi = 83 87> Pwr {Vit = Purl : 81»82,U;} = Pir; : (U; 7 
gD AV; = g) v (U; = gi) A V/s, = g ))} and v Ww € {0,1}) is 
the vote in favor her candidate. Since the attacker knows r, and v, she 
can generate the non-interactive zero-knowledge proof Py p {V;}. 

If an attacker posts encrypted ballots in favor of her candidate in the 
above form (Table 3) with zero-knowledge proof of well-formedness 
Py {V;} and changes the final tally from t to (t + k.v) as soon as 
the DRE publishes the final tally ż on the BB, then such attack cannot 
be detected by the tally verification procedure of the DRE-ip system. 
The attacker does not need to change the sum s. This is because 


k 
gy "Sg = g, = e, the identity element of the group. The 
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attacker can increase the final tally to (t + k.v). The tally verification 
procedure verifies all zero-knowledge proofs and checks the following 


equations: [J] ec U; = gb Ijec %4 = ee, which will succeed in 
this e The first of the two tally verification equations: [],¢c¢ Uj = 
gibt i zi gee "= g} and the second of the two tally verification 


k k 
A 8+), 7] ) ři ) . 
equations: Tec V; = z Lie al = gigr'! ‘eo = gigit" . This 


is a weakness of the system. The above mentioned ballots can be 
added at the end of the bulletin board. Note that the proof of well- 
formedness of the above mentioned confirmed ballots are correct, and 
hence the tally verification procedure of DRE-ip algorithm [4] satisfies. 
The DRE-ip algorithm is developed to eliminate requirement of the 
tallying authority. However, as described above, an attacker can mount 
the above attack in the following scenario: 

(i) The bulletin board is secure and append-only; however, the 
adversary gets access to the DRE machine to get the signature of 
above ballots. Additionally, if the election authority colludes with the 
adversary, an attacker can post the above mentioned ballots at the end 
of the bulletin board. The signature key can be compromised at the 
setup stage, or a malicious DRE-ip software can generate such ballots. 

Possible countermeasure. To prevent the weakness 1, we assume 
that the names of voters who have cast their votes are not published 
on the bulletin board since it has a disadvantage: everybody learns who 
abstained from voting. Such information in some cases might be illegal 
to be revealed (see, for example, [70]). We have provided a secure 
and verifiable voter registration and authentication procedure that will 
generate a token. This token is presented to the DRE machine. The DRE 
checks the validity of the token. If the verification succeeds, the DRE 
allows the voter to cast her vote. We have described this in detail in a 
later section. 

To prevent this kind of attack, in our proposed voting scheme 
discussed later, we include hash of the previous ballot and a NIZK 
proof of a valid token number (generated by the voter authentication 
procedure) with each ballot. This creates an append-only list of ballots 
that cannot be modified by an adversary. The hash of the last ballot 
in the election is published with the final tally message along with 
two NIZK proofs: one of these two NIZK proofs proves the knowledge 
of the partial sum s; the other NIZK proof proves the knowledge of 
s.prev_hash. 

Note that the idea of a running hash is not new in the e-voting 
system. In 2007, Sandler and Wallach described the idea of hash linking 
of votes to ensure the integrity of their system [71] and later applied 
in the VoteBox system [72]. In 2011, Benaloh and Lazarus proposed a 
similar idea to mitigate their Trash attack [13], and in 2013, Bell et al. 
used a similar idea in their Star-Vote system [26]. We extend a similar 
idea to our proposed e-voting system. 


5. Our proposed voter registration and authentication scheme 


In this section, we propose a secure and verifiable voter registration 
and authentication algorithm. In our scheme, a biometric encryption 
algorithm is used to bind a secret key with her biometric data (fin- 
gerprint). This secret key is one of the secret keys used for verifying 
the authenticity of the voter. We first describe the voter registration 
algorithm. 

Our proposed system requires a fingerprint scanner with fingerprint 
pulse at the sensor and a smart card reader. The smart card reader 
must be attached to a device that will verify the eligibility of the voter. 
It generates a token that will be presented to the DRE machine to 
proceed with the voting process. It also requires a public bulletin board 
to display the voter registration data. 
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Voter provides her foundational Identity Card (for example, 


election ID card or Passport) to the voter registration official 


Invalid Card 


The official verifies 
her identity card 


Valid Card 


The voter provides her fingerprint using a fingerprint scanner 


Fingerprint template 


Generate a random key 75 


Fuzzy Vault binding algorithm with optional secret transform 


Exit 


Journal of Information Security and Applications 59 (2021) 102815 


Biometrically encrypted data D is 
stored by the election authority 


Generate another random number 7; 
in a smart card and compute 
E (gi Callr:2)) 


The machine provides a signed receipt 
(VOTER_ID,,E(g#:ll"2))) to the voter 
and the same is published on a public 
bulletin board. H(D) is given to the voter 
in the smart card 


The voter is given the smart card containing 
T;2 and H(D). The machine deletes 7;3, 7; 
and the fingerprint data and its template 


When the voter enrolment process 
finishes, all the data E(g¥ @isllriz)) 
corresponding to all the voters are sent to 
a set of mixnet servers. It finally outputs a 
set of data g#C2llr:2) for all voters 


Fig. 1. A logical workflow of our proposed voter registration mechanism. 


5.1. Voter registration 


In this phase, voters will provide their personal information in- 
cluding voter identification number and fingerprint to register for the 
election. The voter registration process may occur throughout a year 
before the election. The voter registration data corresponding to each 
voter are displayed on a public bulletin board so that the public 
can verify the voter’s eligibility and one-person-one-vote requirement. 
Fig. 1 depicts a logical workflow of our proposed voter registration 
mechanism. The following steps are performed to register a voter for 
the election. 

1. The ith voter provides her foundational identity card (for exam- 
ple, election ID card or Passport) to the voter registration official at the 
registration center. The officer verifies the election ID card. Then the 
voter has her fingerprint scanned at the registration center. 

2. We use a biometric encryption algorithm proposed by Nandaku- 
mar et al. [22], called Fuzzy Vault, to bind a randomly generated 
key into the voter’s fingerprint data. As shown in Fig. 2(a), a random 
number r, is generated on enrollment uniformly and independently 
from Z, so that neither the voter nor anybody knows it. This random 
number acts as one of the secret keys used in the registration process. 
The random number r; itself is independent of the biometric, and 
hence it can be changed or modified. 

In [22], the secret random key r, is represented as coefficients of 
a polynomial in a Galois Field, for example, GF(2!°). This scheme is 
designed to secure a key of length 16n bits, where n is the degree of 
the encoding polynomial. For example, if n = 8, we can secure a key of 
size 128 bits. The 16 bit x-coordinate value of the polynomial comprises 
the fingerprint minutiae location and the angle, and the corresponding 


Y-coordinate is computed from the polynomial at the point x. Both the 
values x and y are stored with chaff points to hide the real minutiae. It 
also stores fingerprint alignment information. 

Since Fuzzy Vault actually stores real minutiae even though they are 
buried inside the chaff points, this may become a source of potential 
vulnerability [50,52,53]. As a countermeasure, in [50], Jain et al. 
proposed a transform-in-the-middle approach (shown in the dashed- 
square in Figs. 2(a) and 2(b)) in which the fingerprint minutiae data 
are permuted based on the secret password of the user. 

3. The machine at the registration center generates another random 
number r; uniformly and independently from Z,. Then it computes 
E(g"ll"2)), where g is the generator of the group G,, E(g!(ll"2)) is 
the encryption of g” C1lr2) and ‘||’ is the concatenate operation. We dis- 
cuss this encryption procedure E later in this section. Then the machine 
provides a signed receipt consisting (VOT ER_ID,, E(g” “1 llr2))) to the 
voter. 

4. The random number rp is given to the voter in a smart card or 
token. The voter keeps the smart card safely with her. It will be required 
during the voter authentication phase. 

5. It publishes (VOTER_ID,, E(g#ll2))) on a public bulletin 
board. We assume that the device sends all the data to the BB over 
an authenticated channel using digital signature. The biometrically 
encrypted data D; along with VOTER_ID, is securely stored by the 
election authority in a database or locally (for example, a token or 
smart card). A hash of this biometrically encrypted data D;, H(D,), 
is also provided to the voter in her smart card (that also contains 
the random number r). The biometrically encrypted data D, will be 
used for verification of the voter during the voter authentication phase. 
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Randomly generated key 


Enrollment 
1101000..01 


5 n Fingerprint Template 
Fingerprint Image 
Fingerprint 1010001111... Fuzzy Vault 


Li 
Optional : 
‘at Naelviol iets “ad Li 
...001 binding algorithm i secrel j 
' transform k 
E L 
Securely delete it 
Securely delete it 1001011...010 
Securely delete it 
Biometrically encrypted data D is stored 
(a) 
Biometrically generated data D 
Verification 
1001011...010 
; : Fresh Fingerprint Template 

Fresh Fingerprint Image wroceeceecees i 
Li 

Li 
1 Optional r 
Fingerprint 10000101111... Fuzzy Vault ree ! ecel ! 
101 retrieval algorithm 1 s 
1 transform i 
Li 


Securely delete it 


1101000...01 


Retrieved key 


Securely delete it 


(b) 


Fig. 2. High level diagram of the Fuzzy Vault process to bind a key (r, in the description) with the fingerprint. (a) Enrollment process that binds a randomly generated key (r; 
in the description); (b) Verification process that retrieves the same key (r, in the description). 


Name 1 E(g™) = Coa >| Cy Cia = (9) 

Name 2 E(g®2) =Co2 > Cy2 C2 = (9%) 

Name 3 E(g*3) =Cy3 > G3 C13 = (9%) 
Mı Mı 

Name N E(g®") = Con > Ci Cin = (g) 


Fig. 3. Public bulletin board displaying voter registration data of N voters along with / mixnet servers. Here, Name i represents the name of the ith voter. Data, represents the ith 
voter’s data (VOTER_ID,, E(g!«""2))), R, represents H (r; llr). M, are mixnet servers Vk € {1,2,...,/}. Cy_1j,V/ € {1,2,...,N} are the inputs to the mixnet M,, and its outputs 


are C,;,Vj € {1,2,...,N}. The last mixnet server’s output (g"', g%,...,g°”) is a permutation of (g®i,¢%,..., gv), 

It securely deletes the random numbers r;,,r;. and the fingerprint 7. When the enrollment process finishes, all the receipts 

template. (VOT ER_ID,, E(g#1!l"2))) are published on the public bulletin board. 
6. The voter leaves the registration center and checks that her We use some mixnet servers proposed by Neff et al. [64] to permute the 

receipt is recorded on the public bulletin board. set of data g” ll") and publish it on the bulletin board. The input to 
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The voter provides her voter id, fresh 
fingerprint and the smart card containing 


T;2 and H(D) at a polling station 


Fingerprint template is generated. The 
election authority provides the voter's 
biometrically encrypted data D based on 
her voter id 


The hash of biometrically 
encrypted data D 
provided by the election 
authority matches with 
the H(D) value contained 
in the voter’s smart card 


Yes 


Fuzzy Vault retrieval algorithm with 
optional secret transform 


Does Fuzzy Vault 
decoding operation 
succeed? 


Failure 


Success 


Retrieved key Ta 
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Compute token; = H(7;1||"%2) 
and delete 7;,,7;2 and the 
fingerprint and its template 

securely 


The voter is given an encrypted 
value of token, using 


symmetric key encryption 


The voter goes to the DRE 
machine and presents her 
encrypted token token, 


Raise a 


dispute 


Exit 


Fig. 4. A logical workflow of our proposed voter authentication mechanism. 


the mixnet are (E(g#“11!l"2))), vi € {1,2,..., N}, where the encryption 
algorithm E depends on the mixnet servers [64], N is the total 
number of voters. It outputs g#ill"2), vi € {1,2,..., N} in a verifiable 
manner. Fig. 3 depicts the mixnet servers. The mixnet [64] servers 
provide NIZK proofs to prove a permutation between the input data 
(E(g# Cill2))), Vi € {1,2,..., N} and output g” Cal, vi € {1,2,...,N} 
without revealing the exact permutation. We assume that at least one 
mixnet server is honest, who does not reveal its secret keys and the 
permutation. 


5.2. Voter authentication during the voting phase 


In this section, we discuss the voter authentication procedure using 
the biometrically encrypted data collected during the voter registration 
phase. The voter authentication is performed in parallel with the voting 
phase. After a voter’s verification is successful, it generates a token 
number that will be used to cast her vote. All the voter’s biometrically 


encrypted data D; along with VOT ER_I D; that were collected during 
the voter registration phase are presented (for example, in a smart card) 
here at this phase for verification of voters. Fig. 4 shows a logical 
workflow diagram of our proposed voter authentication mechanism. 
The following steps are performed to verify the authenticity of a voter. 

1. The voter goes to the polling station and provides her 
VOTER_ID,, fingerprint, the smart card containing r; and H(D,) to 
verify her eligibility to vote. Note that the hash of the biometrically 
encrypted data D, provided by the election authority should match 
with H(D,) value stored in the voter’s smart card; otherwise, the voter 
should raise a dispute. 

2. We use the verification procedure of the Fuzzy Vault algorithm 
proposed by Nandakumar et al. [22] to verify her eligibility to vote. 
Fig. 2(b) illustrates the verification procedure of the Fuzzy Vault al- 
gorithm [22]. On verification, the user provides her fresh fingerprint 
data which, when applied to the legitimate biomerically encrypted data 
D,, will let the Fuzzy Vault algorithm recreate the same key r. If 
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The voter presents her encrypted token to the 
DRE machine. The DRE decrypts it (using 


symmetric key) to get the token . 


Check whether an entry 
g=?” exists on the 
public BB containing 

voter registration data 


Yes 


Check whether a 

‘confirmed’ ballot No 

with g'**" exists on 
its own public BB 


containing all ballots 


Yes 


DRE adds i to the setofall 
confirmed ballots, evaluates partial 
tally t = Xjec YS = jec G.DRE 

provides a signed receipt to the 
voter, marked as ‘confirmed’ and 
deletes 7;,v; and token securely 


DRE creates a transaction for this 
‘confirmed’ ballot and posts it on its 
public BB 


Voter leaves the booth with 
her receipts 


Voter verifies that all her receipts matches with those 


on the BB; otherwise, she should raise the issue 


Confirm 
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The voter keys in her vote v; 


Generate a random number r; , 
encrypt the vote v; and generate NIZK 
proof of knowledge of 7; 


The voter receives the first part of the 
receipt including ballot content 
(encrypted) and g***** 


Voter chooses to 
either audit or 
confirm her vote 


DRE provides a signed receipt to 
the voter, marked as ‘audited’ to 
the voter including r; v; and adds 
i to the set of audited ballots 


DRE creates a transaction for this 
audited ballot and posts it on its 
public BB 


Voter verifies 
her choice of 
vote v: 


Failure 


Raise a 
dispute 


Fig. 5. A logical workflow of our proposed voting procedure. 


a sufficient number of minutiae points coincide with some genuine 
recorded points, the full polynomial can be constructed using an error- 
correcting code (for example, Reed-Solomon error-correcting code) or 
Lagrange interpolation. The secret will be correctly decrypted only if 
the polynomial is correctly constructed. The performance results show 
that FRR (False Rejection Rate) is about 6% to 17% and FAR (False 
Acceptance Rate) is about 0.02%. The FRR is due to poor samples that 
are fact of life in biometric systems. However, the FRR could be signif- 
icantly reduced through retries. The Fuzzy Vault algorithm is designed 
to account for an acceptable variations of the input fingerprint. On the 
other hand, an imposter with different enough fingerprint will not be 
able to recreate the key. 

3. It provides token; = H(r;\||r;.) as a token number to the voter. 
The token number token; is given to the voter in an encrypted format 


10 


using a symmetric key encryption. At the end of verification procedure, 
it securely deletes r;,,r;.,token;, the fingerprint and the fingerprint 
template once again. 


4. The voter goes to the DRE machine and presents her encrypted 
token. 


Voters must observe the public bulletin board (Fig. 3) throughout 
the election stage to ensure that their registration data are not being 
changed. If, at any point between the voter registration and the final 
tallying phase, any of the entry on the public bulletin board is changed 
based on her receipt, the voter must raise an issue with the election 
official. Note that the proposed voter registration and authentication 
scheme can also be incorporated into other verifiable e-voting systems. 
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Initialization: Group public information , q, g1, 92 
and public key of the signature PK ign 


Receipts: 


(1,g'ke™, prev_hash, Uy, Vi, Pwr {Vi}, Px {token;}, audited, r,, va, sign) 


(2, gk", prev_hash, Uz, V2, Pwr {V2}, Px {tokens}, confirmed, sign) 


ig” ni, prev_hash, U;,V;, Pwr {V;}, Px {token;}, audited, r;,v;, sign) 


(i,g°**", prev_hash, U;,V;, Pwr{V;}, Px {token }, confirmed, sign) 


Final tally message: 


(ky, prev_hash, t, gf, g3, Px{s}, Pr{s.prev_hash}, final, sign) 


Fig. 6. A public bulletin board of our system. 


5.3. Performance analysis of the voter registration and authentication 
scheme 


The voter registration phase is conducted well before the actual 
election. For each voter, the voter registration procedure includes exe- 
cution of the Fuzzy Vault algorithm and computation of one encryption 
E(g#ill"2)), where the encryption algorithm E depends on the mixnet 
server [64]. The mixnet [64] requires 8N exponentiations, where N is 
the total number of voters registered for the election (in an electoral 
constituency). Therefore, the computational time complexity of the 
voter registration scheme involves execution of the Fuzzy Vault algo- 
rithm and O(N) exponentiations for Mixnet. The voter registration may 
be done throughout a year before the election. Voter authentication 
includes execution of the Fuzzy Vault key retrieval algorithm and 
computation of a symmetric key encryption of H (r; l|r;2). 


6. Our proposed voting system 


In this section, we propose a voting scheme, analyze its security 
properties, propose efficient NIZK proofs, compare it with some well- 
known DRE-based voting systems and finally measure its performance. 
It requires a DRE machine with a printer attached to it and a public 
bulletin board to show the recorded ballots in public. The bulletin 
board can be a publicly accessible web site. 


6.1. Proposed voting scheme 
The voting scheme is described in this section. 
6.1.1. Voting and tallying phase 
We now describe the algorithm for the voting phase and the tallying 


phase. The DRE-ip system is modified to prevent weakness 1 and the 
ballot stuffing attack. In our system, the BB can be insecure. However, 


11 
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if the adversary tries to modify the content of the BB, it could be 
detected by the public because of the use of hashchain. Let us assume 
that one DRE machine is used to elect a candidate in a regional 
zone. Extension to multiple DRE machines has been discussed in a 
later section. We assume that the DRE sends recorded ballots to BB 
over an authenticated channel using standard technique such as digital 
signatures. For simplicity, the algorithm is described for the case where 
there are only two candidates i.e. if v; represents the vote for the ith 
ballot, we have v; € {0,1}. Extension to multiple candidates has been 
discussed in a later section. An audited ballot is not used to cast a vote. 
Let A, C and B are the set of all audited ballots, confirmed ballots and 
all ballots respectively. Thus, at the end of the voting phase, B = AUC. 
We use the exponential ElGamal cryptosystem to encrypt the votes 
in which no party knows the decryption key. Fig. 6 depicts a public 
bulletin board of our proposed e-voting system. 

Key Generation Phase. 1. The system generates an efficient descrip- 
tion of a cyclic group G, of order q with two distinct generators g1, 82 
whose logarithmic relationship is unknown. 

2. The DRE publishes description of the group (G4, 4, 81, 82» Pksign) 
on a public BB, where Pk,,,,, is the public key of the digital signature 
scheme (for example, DSA) used by the DRE machine. Initially, £ = 0 
and s = 0. The DRE calculates hash of this transaction and stores it in 
prev_hash. The hash value prev_hash will be included in the next ballot. 
This hash must be verified by public during the tallying phase to ensure 
that this transaction remains unaltered. 

Voting Phase. This phase involves the voter, the DRE and the BB. 
Fig. 5 illustrates a logical workflow diagram of our proposed voting 
procedure. 

1. The voter goes to the DRE machine and presents her encrypted 
token. The DRE decrypts (using symmetric key) it to get the token 
(generated during the voter authentication phase). The DRE checks 
for an entry g’*" on the voter registration bulletin board (Fig. 3) 
corresponding to her token. It also verifies that this token has not been 
already used to cast a vote, by checking all confirmed ballots on its own 
public bulletin board (that displays all ballots, Fig. 6). If the verification 
succeeds, it allows the voter to proceed to the next step. 

2. The voter initiates the voting and keys in her vote v, € {0,1}. 

3. The DRE generates random r, € Zi, and evaluates 
U; =g, V; = 85 83's 
Pwr{V; : 81,82; U;} 
= Ptr : (U; = gD A V; = 83) V (U; = 87) A V;/82 = 85) 
= P{r; : (U; = g1) AV = 83) V Vi/82 = 8), 


and Px {token : (W, = g'*®”)}. 

Here, Pwr {V; : g1.8,U;} is a NIZK proof to show that the ballot 
is an encryption of either v; = 0 or v; = 1 (i.e. the ballot is well- 
formed). Px {r;} is a NIZK proof of knowledge of r;. Algorithm 3 (resp. 
Algorithm 4) and Algorithm 5 (resp. Algorithm 6) describe the creation 
(resp. verification) of the NIZK proof Py p{V;} and Px {token} respec- 
tively. The DRE machine provides a signed receipt including the unique 
ballot index i and the ballot content (i, g’°*", prev_hash, U;, V;, Py rV} 
Px {token}, sign) to the voter, where sign is the signature of (i, g*", 
prev_hash, U;,V;, Pw r{V;}, Pg {token}). 

4. The voter receives the first part of the receipt and chooses to 
either audit or confirm her vote. 

In case of audit: 

5. The DRE adds i to A. The DRE provides a signed receipt of the 
audit, marked as ‘audited’, including r;, v; to the voter. 

6. The DRE merges both parts into a single part ((i, gen yrev_hash, 
U;,V;, Pw r{V;}, Px {token}), audited,r;,v;, sign), where sign is the sig- 
nature of ((i, gloken prev_hash, U,,V;, Py r {V;}, Px {token}), audited, r;,v;). 
The DRE posts this receipt (or transaction) on the BB. The DRE 
computes hash of this transaction and updates prev_hash value. This 
prev_hash will be attached to the next ballot (or transaction). 
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7. The voter takes and keeps the receipt. She verifies her vote v,. If 
the verification succeeds, it continues to execute from step 2; otherwise, 
the voter should raise a dispute. 

In case of confirmation: 

5. The DRE adds i to the set C and updates the tally and the sum: 


f= Yue Èr (1) 
jec jec 

The DRE provides a signed receipt, marked as ‘confirmed’ to the 
voter. Then the DRE securely deletes r;, v; and token. 

6. The DRE merges both parts into a single part, ((i, g’°", prev_hash, 
U;, V,, Pw p{V;}, Px {token}), confirmed, sign), where sign is the signa- 
ture of ((i, g?” , prev_hash, U,, V;, Py p {V;}, Px {token}), confirmed). The 
DRE posts this transaction on the BB. The DRE computes hash of this 
transaction and stores it in prev_hash. This prev_hash will be attached 
to the next ballot (or transaction). 

7. The voter leaves the polling booth with her receipts. 

8. The voter verifies that all her receipts match with those on the 
BB. The voter should raise an issue if her receipts do not match with 
those on the BB. 

Verification by bulletin board (cloud or blockchain). This phase in- 
volves the DRE and the underlying BB. The BB can be implemented us- 
ing cloud server, InterPlanetary File System (IPFS), Ethereum 
blockchain (method 1) or a combination of both blockchain and cloud 
server/IPFS (method 2). The BB must verify the signature of the 
ballot before storing it. The BB may optionally verify the ballot well- 
formedness proof included in the ballot before adding it into the 
BB. 

Tallying Phase. This phase involves the DRE, the BB and the public. 

1. The DRE evaluates: I, gi, Ty = g h = g” rev-hash and 
Ty = g” rev-hash Then the DRE posts the final tally t, I, and T, on 
the BB with zero-knowledge proofs Py {s : (I, = gD A (a = 85)} and 
Px{s.prev_hash : (T3 = gre ACT, = gee), The Algorithm 7 
(resp. Algorithm 8) provided in Appendix A describes the procedure 
for generation (resp. verification) of these NIZK proofs. Let the tuple 
(t, Tı, T2, Px {s}, Px {s.prev_hash}) be denoted by ‘MESSAGE’. To post 
ith message, say ‘MESSAGE’, on the BB, the following procedure is 
adopted. 

G) The DRE creates a transaction consisting of the data 
(i, prev_hash, MESSAGE, final, sign), where sign is the signature of 
(i, prev_hash, MESSAGE, final). The DRE posts this transaction on the 
BB. 

2. The public: 

(i) verify that the hash of each transaction matches with the 
prev_hash value of the next ballot (or transaction). 

(ii) verify that the zero-knowledge proofs provided in step 1 of 
this tally phase are correct, provided the hash of the last ballot on 
the bulletin board. This step involves verification of the two NIZK 
proofs: (a) verification of Px {s}, given I, and I; (b) verification of 
Px {s.prev_hash}, provided T} (= ere) and I, (= pprehashy, where 
prev_hash is the hash of the last ballot on the bulletin board. 

Gii) verify that all the well-formedness proofs of each transaction 
on the BB (well-formedness verification) are correct. 

(iv) verify that for all the audited ballots ((i, g’°*", prev_hash, U,, V,, 
Pw p {V;}, Px {token}), audited,r;,v;, sign) on the BB: the first part of the 
receipt (i, g’*", prev_hash, U;,V;, Pwr {Vi}, Px {token}) is consistent with 
r; and vj. 

(v) verify that the signature of each transaction is valid. 

(vi) verify that all the NIZK proofs provided by the mixnet servers 
(Fig. 3 in Section 5.1) are correct. 

(vii) verify that all g'°%°” in all confirmed ballots on the BB (Fig. 6) 
are different and there exists only one entry with value g’°*" on the BB 
generated during the voter registration phase (Fig. 3). 

(viii) verify that all the NIZK proofs Px {token} are correct. 

(ix) verify that all the following equations hold (tally verification): 


[]4 =n., and [] Vj = ns. (2) 
jec jec 
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During the voting and tallying phase, if any of the verification 
carried out by the voter or the public fails, an issue should be raised 
with the election authority. We assume that there are procedures in 
place to deal with such verification failures. In practice, a truncated 
hash function may be used to calculate short digest e.g. 32 bit long for 
each part of the receipt so that a voter can easily compare their receipt 
with those on the bulletin board. In this case, voters are expected to 
verify their receipts with those on the bulletin board. We assume that 
there are facilities provided for them to do so in the polling station. 

If sufficient resources are available, there can be another optional 
module that takes a transaction from the proposed algorithm and 
checks whether it has been added to the BB. 


6.1.2. Extension to multiple DRE machines 

If multiple DRE machines are used in a regional zone (or electoral 
constituency) to elect a candidate, then instead of disclosing the tally 
from each DRE machine and then adding them together to get the 
final tally, we publish the final tally by combining the tallies from 
all DRE machines so that the tally from each DRE machine remains 
secret. The correctness of the procedure are realized by producing the 
corresponding zero-knowledge proof. This is particularly done to avoid 
revealing the distribution of voters against various political parties 
in small areas (where DRE machines are used to cast the vote) of a 
regional zone. Let the total number of DRE machines used in a regional 
zone be n(n € N). Let t and sq represent the tally t and sum of random 
variables s respectively for the ith DRE machine. 

1. Each DRE performs following tasks. 

(i) The ith DRE posts D) = ge 
tally t with Px {ty + sq : Dho = gr }, the non-interactive zero- 
knowledge proof of knowledge of the sum of tally t and sọ) for this 
DRE machine. The DRE also posts Tig) = he with Pk {sa : Tig = g? ie 
the zero-knowledge proof of the sum of random variables s for all 
confirmed ballots. 

(ii) Provided above information, the public perform all tasks stated 
in step 2 of the Tallying Phase. 

2. (a) Let the group information g, and g, be same for every DRE 
machine. If they are different for each DRE machine, we perform step 
(b) instead of this step. 

(i) Now all DRE machines perform two secure multi-party compu- 
tations, proposed later in this section, to evaluate tying) = Zl ti and 
S final = Z! so It publishes tsina aNd Srina as the final tally and the 
final sum of random variables. 

(ii) The public verify that []’_,Ioq@ = gg" gy imal’ and Tw = 


5 final 


on the BB instead of total 


(b) Let gig) and gy, represent the group information g; and g, 
respectively for the ith DRE machine. 

(i) Since, for every ith DRE, giç) is public information, each DRE 
can send their gj, to each other to compute g, = []/_,giq) and 
Ep = 22%- We assume that DRE machines can communicate with 
each other over an authenticated channel using digital signatures. It 
evaluates: Typ = g0", Do =g 0, To = 8s Taw = gË 

> fai) = E > fa) = 8a) > Fal) = Sa > Fy = Sy 

(ii) Each DRE posts (yo Do), Lai» Fy) on the BB with Px {ty + 
To. = pO lats@ 
so + 4 pi) = Sp Xi) 
Sua) The public must verify these proofs. 

(iii) Now all DRE machines perform two secure multi-party compu- 
tations, proposed later in this section, to evaluate t pina, = ZL ta and 
S final = ©, Sq: It publishes fpina and spinaj as the final tally and the 
final sum of random variables respectively. 

š ; ; t fina 

(iv) The public verify that JJ Ti) = g,"" 


Se 
final 
Ea . 


Si 
A Toya = & } and Px {sq | Tag = 8a° ATi = 


S final 
b 


and JJ Tai = 

Secure multi-party computations to compute Xt. Now we briefly 
describe a secure multi-party computation protocol to compute the sum 
of various parties’ private inputs. Suppose three parties have private 
inputs t,,f),t; respectively. Our secure multi-party computation proto- 
col runs in two rounds which is also the minimum number of rounds 
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Fig. 7. (a) Gas cost for casting a ballot based on the number of candidates contesting the election. (b) Costs for casting a ballot based on the number of candidates contesting 
the election. The costs are approximated in USD ($) using the conversion rate of 1 Ether = $243 and the gas price of 0.000000001 ether that are real world costs in July, 2020. 
Here, for both (a) and (b), casting a ballot involves storing a ballot on the blockchain without verifying the ballot well-formedness proof (NIZK proof). 


required to compute a function securely in any secure multi-party 
computation [73]. 

In the first round, the first party chooses random 1), ER Z,, and 
ti) Er Z, uniformly and independently. Then it computes tı; = (tı — 
tii — tj). The first party sends t,;, to the second party and 1,3 to the 
third party in an encrypted format over an authenticated channel. 
Similarly, the second party chooses random 15; Er Z,, and ty € Z} 
uniformly and independently. Then it computes t3 = (t) — tı — to). 
The second party sends t); to the first party and t»; to the third party 
in an encrypted format over an authenticated channel. Similarly, the 
third party chooses random 13; Er Z,, and t32 € Z, uniformly and 
independently. Then it computes t}, = (t; — t31 — t32). The third party 
sends t3, to the first party and ft) to the second party in an encrypted 
format over an authenticated channel. Now, after receiving t, and 
t3; from the second and the third party respectively, the first party 
computes T) = ti; +t), + t3,. Similarly, the second party computes 
Ty = ty + tn + tz and the third party computes T; = 113 + t23 + t33- 

In the second round, all the three parties send their T,’s to a fourth 
party who computes T = T, + T, + T}, which is the sum of t4, tz, 13. 

Note that the private input t; of each party remains secret after 
computation of their sum for all i € {1,2,3}. In a similar fashion, 
untrusted parties can compute the sum of their private inputs without 
revealing it. The zero-knowledge proofs, verification by the public 
and the final tally verification checks (step 2 of the Tallying Phase) 
collectively prove that all parties follow the protocol faithfully. 


6.1.3. Extension to multiple candidates 

If there are n(n >= 3) candidates contesting the election, we will 
consider an upper bound, say M, on the number of voters and will 
encode the vote for the jth candidate as v = M/~!. The ith ballot in that 
case will of the form ((i, g!*", prev_hash, U;,V;, Py p {V;}, Px {token}), 
audited,r;,v;,sign) in case of audit or (i, g”, prev_hash, U,,V;, 
Py r{V;}, Px {token}), confirmed, sign) in case of confirmed vote, where 
Vi = ge The well-formedness proof Py-{V;} will be 1-out-of-n 
disjunctive proof and can be stated as: 


à -1 A 
Pwr tv; : 8&1, 82:U;} = Pir; : Via (U; = gi) Aa Vg = g))} 
; -1 i 
= Pk{r; © Uj = gD AV _Vi/83" = 83))). 
The well-formedness proof Py,;-{V;} is a NIZK proof to show that 
the ballot is an encryption of v,, where v; € {1, M, M?,...,M""'}. 


6.2. Storing recorded ballots 


Depending on how the election is arranged, there can be several 
methods to store the ballots. In our modified DRE-ip system, any ballot 
is linked to the previous ballot by using the hash of the previous ballot 


13 


in the digital signature of the ballot. This creates an append-only list 
that can be maintained by anyone. In this section, we highlight two 
existing methods and propose two new methods to store these ballots. 

Using cloud server. The cryptographic group information, the 
public keys of the ElGamal encryption and digital signature, all the 
ballots and the final tally messages can be stored on cloud. The public 
bulletin board accesses the cloud storage to show the ballots. Due to 
the use of hashchain, any modification on the BB can be detected by 
the public during the tallying phase. Multiple cloud servers could be 
used to remove a single point of failure (see, for example, the public 
BB proposed by Palngipang et al. [74]). 

Using InterPlanetary File System (IPFS). All the cryptographic 
keys, ballots and the final tally messages can be stored in IPFS [75] 
system which is a distribute file system. The IPFS hashes can be stored 
separately on a public bulletin board. This will reduce the storage 
burden on the election authority, but will not eliminate it completely as 
the election authority needs to store the IPFS hashes anyway for others 
to be able to download the ballots and other information from the IPFS 
system. 

Using public blockchain (method 1). The cryptographic group 
information, the public keys of ElGamal encryption and digital sig- 
nature, all the ballots and the final tally messages can be stored on 
a public blockchain such as Ethereum. During the setup phase, the 
DRE sends a transaction containing the description of the group of the 
form (Gy, 4, 81, 82, Pksign) to the blockchain, where Pk,;,,, is the public 
key of the digital signature scheme. When a voter audits her vote, 
the DRE sends a transaction containing an audited ballot of the form 
((i, gioken prev_hash, U,,V;, Pw r {V;}, Pg {token}), audited, r;, vi, sign). 
When she confirms her vote, the DRE sends a transaction contain- 
ing a confirmed ballot of the form ((i, g'*®”, prev_hash, U;, V;, Py F{V;}, 
Px {token}), confirmed, sign). Finally, at the tallying phase, the DRE 
sends a transaction containing the final tally message of the form 
(i, prev_hash,t, I, T>, Pe {s}, Px {s.prev_hash}, final, sign). The public 
and the individual voters can verify that their ballots are included 
into the blockchain. Once a ballot is posted on the blockchain, it 
remains tamper-proof. The blockchain stores the ballots after verifying 
its signature. The blockchain may also optionally verify the ballot 
well-formedness proof (NIZK proof) for each ballot. However, it is not 
necessary for the blockchain to verify the ballot well-formedness proof 
(NIZK proof) since it will be verified by the public during the tally phase 
by a separate module. We have improved the performance of the 1-out- 
of-n NIZK proof by reducing the number of exponentiations to almost 
half as compared to the NIZK proof described in [4]. A small cartel of 
miners (< 51%) may delay transactions from being accepted into the 
blockchain by using selfish mining or feather forking. Such ability of 
miners to delay a transaction is a fundamental problem for every smart 
contract. We discuss the performance analysis (both cost and timing 
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measurements analysis) of the scheme in detail in a later section. The 
advantage of this method is that all the cryptographic keys, ballots and 
final tally messages remain tamper-resistant and can be verified by the 
public. The disadvantage is that this method may cost more than other 
methods described in this section. Therefore, it is preferable that the 
blockchain stores the ballots verifying only its signature, but without 
verifying any NIZK proof (Figs. 7(a) and 7(b)), since it will reduce 
the mining cost and all the NIZK proofs will be verified by a separate 
module in the tallying phase. 

Using both the cloud server/IPFS and the public blockchain 
(method 2). Another method to implement a public bulletin board 
is to use both the blockchain and the cloud server. We keep the 
bulk of the data on cloud and a minimal set of critical information 
on the blockchain so that no one can tamper with the data stored 
on the cloud without changing the more secure data stored on the 
blockchain. The cryptographic group information and the public keys 
of ElGamal encryption and digital signature (i.e. a transaction con- 
taining the description of the group of the form (G,,4q, 81, 82, Pksign)) 
are stored on a blockchain such as Ethereum in a single transaction 
before beginning of the polling phase. According to our proposed 
protocol, the hash of this transaction is included in the first ballot as 
well as in the signature of the first ballot. This transaction is the first 
transaction of the hash chain of ballots. During the tallying phase, the 
final tally message (i.e. a transaction containing the final tally message 
of the form (i, prev_hash, t, |, D>, Px {s}, Px {s.prev_hash}, final, sign)) is 
also stored on the public blockchain. The DRE sends the final tally 
message to the blockchain and verifies that it has been included into 
the blockchain. According to our proposed protocol, the hash of the 
last valid cast ballot is included in the final tally message as well as in 
the signature of the final tally message. However, all the audited and 
confirmed ballots during the voting phase are stored on cloud. Thus, if 
any of the already recorded ballot on the cloud is modified, it can be 
detected by the public by observing the final tally message transaction 
and the group information transaction stored in the blockchain. It also 
prevents a malicious bulletin board from successfully adding a new 
ballot or deleting a recorded ballot on the cloud without detection. 
Since, for each DRE machine, we add only two transactions (the first 
and the last transaction of the hashchain) into the blockchain, the total 
financial cost towards mining these ballots is at most 16 million gas. 
Therefore, in this case, the cost of mining is almost negligible. We 
discuss the timing measurements analysis for posting each ballot on the 
BB in a later section. A dynamic cloud network control protocol [76] or 
a queueing model [77] could be used for the scalability and allocation 
of cloud resources in presence of the dynamic workload of voting 
citizens. Note that we can use IPFS as an alternative to cloud. However, 
in that case, we have to store the IPFS hashes on the blockchain in 
addition to the cryptographic group information and the final tally 
message. The advantages of this method (method 2) are: (1) the cost 
for storing the ballots is low, and hence this method is more suitable 
than method 1 when the number of voters in the election is very large; 
(2) the cryptographic keys and the final tally messages remain tamper- 
resistant; (3) all the ballots are tamper-evident. The disadvantage is 
that all the ballots are tamper-evident, but less tamper-resistant than 
the ballots while using method 1 (i.e. using blockchain). Note that, 
as discussed before, irrespective of these two methods (method 1 and 
method 2), if any ballot is tampered by the adversary, it will be detected 
by the public in the tally verification phase. 


6.3. Security analysis of the proposed system 


In this section, we discuss the security properties of the proposed 
voter registration, voter authentication and the voting scheme. In par- 
ticular, we prove that our scheme satisfies all the properties described 
in Section 3.2 as well as the integrity and vote secrecy requirements 
stated in Section 3.1. 
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6.3.1. Eligibility verifiability and the security analysis of the voter registra- 
tion and authentication procedure 

In this section, we prove the eligibility verifiability property and the 
correctness of the voter authentication procedure. 

Legitimacy of each voter. On successful verification of a voter, 
the voter authentication procedure proves three things: the entry cor- 
responds to the fingerprint of the legitimate voter, it can retrieve the 
correct random number r;, from her biometrically encrypted data D, 
and the voter has presented the correct random number r; by providing 
her smart card. Therefore, the voter has provided all her secret keys 
and her fingerprint correctly. An imposter has to know two secret keys 
r;, and rp to generate a token number H(r; llr) correctly. To form 
a valid ballot, the imposter must include g?ill"2) and a NIZK proof 
of knowledge of the secret A(r;;||r;2) in the ballot. The public must 
verify two things: an entry with value g#(ill"2) exists on the output 
of the mixnet server (i.e. the public bulletin board, Fig. 3) published 
after the voter registration phase; and the NIZK proof of the secret 
H(r;;||r;2) provided in the ballot is correct. The random number r; is 
biometrically encrypted with the voter’s fingerprint. The biometrically 
encrypted data D; is kept securely by the election authority. The 
random number r; is kept by the voter in a smart card. Therefore, 
for an imposter, the probability to generate a correct token is (1/2)*, 
where « = min{l4, l; +l}, l4 is the number of bits in the output of the 
hash function H, /,,/, are the number of bits in r, and r respectively. 
During the voter authentication phase, the hash of the biometrically 
encrypted data D, provided by the election authority should match 
with H(D;) value stored in the voter’s smart card to ensure that D, 
provided by the election authority is correct and unaltered. Suppose 
a voter’s biometrically encrypted data D, is somehow leaked from the 
election authority’s storage system to an adversary and she attempts 
a brute-force attack on the Fuzzy Vault system by trying to decode 
the secret r;,. In that case, if size of the secret key r; is 128 bit, and 
the number of chaff and genuine points in the vault are 200 and 24 
respectively, then the probability that a combination of points decodes 
the secret is approximately 4 x 107!°. The security provided by the 
biometric encryption system has been discussed in more detail in [22]. 
Note that besides the secret key r;,, the adversary also needs to know r; 
to deduce a token number correctly. Hence, a imposter cannot generate 
a ballot correctly. Therefore, a correct token can only be generated 
by a registered voter. This can be verified by the public. Hence, the 
legitimacy of the voter is ensured. 

One-Person-One-Vote without revealing any correspondence 
between the person and her ballot (encrypted vote). Only one 
vote per one voter is ensured by the fact that an entry (VOTER_ID,, 
E(g#@ill"2))) on the public bulletin board (Fig. 3) corresponds to only 
one entry g/#1!"2) on the output of the last mixnet server without 
revealing the exact correspondence via mixnet servers [64]. The cor- 
rectness of the shuffling procedure can be verified by checking all 
the NIZK proofs provided by the mixnet servers [64]. This hides any 
relation between the voter’s voter id VOTER_ID, (or voter’s name) 
and g#ill2), Hence, it does not reveal any correspondence between 
the voter and her token number H (r; ||r;2) (say, token,). Fig. 3 illustrates 
this fact. Now since g!"i and Px {token;} are included in her ballot on 
the BB (Fig. 6), one vote per one person is ensured by verifying three 
facts: ge": in all confirmed ballots on the BB (Fig. 6) are different; 
there exists only one entry g’*°"i on the BB (Fig. 3) generated during 
the voter registration phase; and the correctness of the NIZK proof 
Px {token;}. This can also be verified by the public. 

Therefore, the proposed scheme satisfies the eligibility verifiability 
property. Thus, the ballot stuffing attack is prevented. 


6.3.2. End-to-end verifiability and integrity of the voting system 

In this section, we prove that the proposed system achieves end-to- 
end verifiability and preserves integrity of the election tally. We show 
how voter-initiated auditing ensures that the votes are cast as intended 
and recorded as cast. We also prove that, assuming all well-formedness 
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proofs are proof of knowledge, if all public verification succeed, votes 
are tallied as recorded. The number of voters is assumed to be less than 
the size of the group q. 

Voter initiated auditing performs three checks. First, the voter 
observes that the first part of the receipt is provided before deciding 
whether to audit or confirm a ballot. Second, if the voter chooses to 
audit a ballot, she is provided with another receipt reflecting her vote 
v; and randomness r,. Thus, the voter can verify that her vote v, is 
correctly captured by the DRE. Third, the voter matches her receipts 
with those on the BB. Thus, the voter makes sure that her receipts are 
recorded by the BB without any modification. The public verification of 
the consistency of the audited ballots guarantees that the DRE has been 
successful to respond to the challenges made by the voter. Hence, the 
individual verification (step 7 of the voting phase in case of audit and 
step 8 of the voting phase) and the public audit consistency verification 
(step 2(iv) and 2(v) of the Tallying phase) collectively guarantee that 
the votes are cast as intended and recorded as cast. 

In the following theorem, we show that if the ballot well- 
formedness, signature and tally verification succeed, and hash of each 
transaction matches with the prev_hash field of the next transaction, 
the proposed system achieves tallied as recorded property. 


Theorem 1. In the proposed system, assuming that all proofs of well- 
formedness are proofs of knowledge, if the public ballot well-formedness, 
signature, token and tally verifications succeed, and hash of each transaction 
matches with the prev_hash field of the next transaction, then the reported 
tally t is the correct tally of all confirmed votes on the bulletin board. 


The proof of the above theorem is rather straightforward and hence 
omitted here. In the proposed algorithm, any ballot is linked to its 
previous ballot by using the hash of the previous ballot in the sig- 
nature of the ballot. This creates an append-only list of valid ballots. 
Having ballots linked to its previous ballot prevent a malicious bulletin 
board from adding new ballots. It can be shown how all the public 
verifications, proof of well-formedness and the first tally verification 
checks (i.e. first of the two in Eq. (2)) collectively guarantee that the 
second tally verification (i.e. the second of the two in Eq. (2)) holds 
if and only if t = )),-cv;, where C is the set of all confirmed votes. 
Hence, if hash of the previous ballot matches with the prev_hash field 
of the current ballot and well-formedness, signature, token number and 
tally verification succeed, the reported tally t is the correct tally of all 
confirmed ballots on the BB (Fig. 6). 

If the adversary does not get access to both the secret key of the 
underlying signature algorithm and a valid unused token number token, 
she cannot post a valid ballot on the BB. However, if the adversary gets 
access to the secret key of the underlying signature algorithm, a valid 
unused token number token and gets read access to the DRE storage 
variables (for example, partial sum s, partial tally t and prev_hash), then 
she can post adversarial ballot on the BB; however, it will be detected 
immediately since the DRE will not be able to post the next ballot on 
the BB. The voter will not be able to match her receipts with those on 
the BB. Therefore, this attack can be detected immediately. The invalid 
transactions (adversarial ballots) that are causing this inconsistency can 
also be determined immediately by observing the prev_hash field of 
the current ballot generated by the DRE. If facilities are available, the 
bulletin board may remove those invalid transactions from the end of 
the bulletin board to add the current valid ballot. 

Note that, in DRE-ip, if an adversary gets access to the secret key 
of the underlying signature algorithm, the adversary can post ballots 
on the bulletin board in such a way that it cannot be detected by the 
tally verification process (including the public verification and tally 
verification process) in the tallying phase. A malicious DRE-ip system 
can also add such valid ballots on the BB. This has been described 
earlier in Section 4. 
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6.3.3. Ballot secrecy and the voter’s privacy 

In this section, we prove that our scheme is secure against all 
probabilistic polynomial time adversary that try to deduce a particular 
voter’s vote. We show that the public bulletin board does not reveal any 
information about a voter’s vote except what a tally normally does. In 
an election with n, voters, if an attacker colludes with some m, number 
of voters, she will learn the partial tally of the remaining (n, — m,) 
voters; however, she will not be able to deduce any honest voter’s vote. 
Note that the attacker can compute the partial tally by subtracting the 
colluding voter’s votes from the final tally. 

We consider intrusive attacks to the DRE machine in which the 
adversary gets read access to the DRE storage for a certain period 
during the voting phase. The adversary is able to observe the vote cast 
during that access period and also gets read access to the running tally 
t, partial sum s and the running hash prev_hash. The adversary can also 
read the publicly available information on the bulletin board. We prove 
that if an adversary can make temporary access to the DRE machine at 
a certain time T, she will only learn the partial tally of all cast votes 
from the start of the election to the time T and from the time T to the 
end of the election. 

For the purpose of this proof, we consider an abridged bulletin 
board where the zero-knowledge proofs of well-formedness are simu- 
lated. Assuming that the zero-knowledge proofs are secure, the adver- 
sary will only have negligible advantage while dealing with them. In 
the rest of the proof, we shall not mention the zero-knowledge proofs 
with each ballot; however, it is provided with each ballot. 


Lemma 1. In our proposed scheme, if an attacker colludes with some m, 
(m; < nı) number of voters and gets read access to the DRE storage after 
n; voters cast their votes, she will only learn the partial tally of (n, — m,) 
uncompromised voters, not the individual votes of the uncompromised voters. 


Proof. Without any loss of generality, we assume that the indices of the 
uncompromised (honest) voters are {1,2,...,1, — mı}, and that of the 
colluding voters are {n, — m; + 1,n, — mı + 2,...,n,}. The DRE stores 
only four variables: the sum of all random numbers s generated so 
far for creating the ballots; the running tally t of all cast (confirmed) 
votes, the running hash prev_hash (hash of the previous ballot) and 
the unique ballot index i. Since s and ¢ are initialized with 0 at the 
beginning of the election, if the attacker gets read access to the DRE 
storage after nų voters have cast their votes, she will learn the partial 
tally of n) voters and partial sum of randomness used to create their 
ballots and the running hash prev_hash after n, ballots. The attacker 
will know all the colluding voters’ vote; however, the randomness used 
to create their ballots will remain secret to the attacker. This is because, 
after a vote is cast, the DRE securely deletes the corresponding random 
number and the vote used to compute the confirmed ballot. Each ballot 
is of the form (U,,V,) along with the unique ballot index i, running 
hash prev_hash, g'?*", Px {token}, NIZK proof of ballot well-formedness 
and the signature of the ballot, where U, = gi and V, = A g 
Vi € {1,2,...,,}. The attacker will know the colluding voters’ votes 
Un, my +19 nym, 42> «+++ Un,» Hence, she can compute the partial tally of 
uncompromised voters’ vote by subtracting these votes from the overall 
tally t. However, the randomness r, will remain secret to the attacker 
Vi € {1,2,...,n,}. The randomness of an uncompromised voter, r; = 
s= frp +r bee try + ria + ra h} Now all rps are uniformly 
and independently distributed over Z,. The partial sum s is known 
to the attacker. Now if at least one of the random values rj, where 
J€(1,2,...,i-1,i+1,...,2,}, is unknown to the attacker, r; will be a 
random value unknown to the attacker. Hence, for all uncompromised 
voters, the value r, to compute the ballot (U;, V,) is random, uniformly 
distributed over Z, and unknown to the attacker even if the attacker 
knows the partial sum s and the running hash prev_hash. Moreover, 
according to the protocol, the secret key of the encryption i.e. the 
discrete logarithm between g, and g, is either not known to any party 
or securely deleted during the setup stage (see, for instance, [78] for 


S. Panja and B. Roy 


solution to secure data deletion). Hence, to deduce an uncompromised 
voter’s vote from the ballot (U;, V;), the attacker has to solve a discrete 
logarithm problem (DLP). Therefore, if the discrete logarithm problem 
(DLP) is hard to solve in the group G,, an attacker will not be able 
deduce an uncompromised voter’s vote. O 


The adversary can control arbitrary number of voters, and in effect 
she can cast arbitrary number of votes. We call the votes cast or 
observed by an adversary adversarial votes. The adversary can compute 
the tally of non-adversarial votes cast before and after the adversarial 
access period by using the knowledge of adversarial votes, final tally 
and the partial tally during the adversarial access period. 


Theorem 2. Suppose the election begins at time T,,,;, and finishes at 
time T,,,q- If an attacker determines arbitrary number of votes and gets 
temporary read access to the DRE storage during a certain period [T),T,] C 
[T egin Tena} then she will only learn the partial tallies of non-adversarial 
votes cast between the time Tegin to Ty and between T, to Tona» but not the 
individual non-adversarial votes. 


Proof. The proof of this theorem follows from Lemma 1. 


o 


We have proved the theorem for one adversarial access period only. 
However, it can also be extended to multiple adversarial access period. 

Receipt-freeness. We consider a definition of receipt-freeness which 
requires that a voter cannot produce a receipt to prove that she votes in 
a particular way (i.e. for a particular candidate). Its purpose is to pro- 
tect against vote buying. This definition originates from Benaloh [79]. 
The proposed system provides a receipt to the voter; however, the 
voter cannot prove that she votes in a particular way since her vote is 
encrypted. The public key g, of the ElGamal encryption algorithm can 
be generated from the group generator g, using a hashing algorithm 
in such a way that the discrete logarithm (secret key) relationship 
is not known to any party including the DRE (or this secret key is 
securely deleted during the setup stage). Furthermore, after encrypting 
each confirmed vote, the DRE securely deletes corresponding random 
variable r; and the vote v;. These information are not provided to 
the voter or stored in the DRE machine. Therefore, a voter using 
her receipts provided by the DRE cannot prove that she voted for a 
particular candidate. Hence, the proposed scheme is receipt-free. 


6.4. Zero-knowledge proofs 


In this section, we present the NIZK proof algorithms that is re- 
quired for well-formedness proof of the ballot. We first recall the NIZK 
proof algorithms used in DRE-ip [4] and then the efficient NIZK proof 
algorithm proposed by Lin et al. in [23]. Subsequently, we analyze 
the efficient NIZK proof protocol proposed in [23] and prove that it 
does not satisfy the required security properties of a zero-knowledge 
proof. Thereafter, we propose a NIZK proof algorithm that is more 
efficient than the NIZK proof presented in DRE-ip [4]. It is shown that 
our proposed efficient NIZK proof algorithms satisfy all the required 
security properties of a NIZK proof. 

Assume that there are n candidates contesting the election. Let us 
assume that the vote v; in the ith ballot is given to the jth candidate, 
where j € {1,2,...,}. As discussed in Section 6.1.3, we encode the vote 
for the jth candidate as v = M/—!, where j € {1,2,...,”}. In this case, 
the ith ballot will be of the form ((i, g/“@", prev_hash, U;,V;, Pwr {V} 
Px {token}), audited ,r;,v;, sign) 
in case of audit or ((i, gen, prev_hash, U;, V,, Py p {V;}, Px {token}), 
confirmed, sign) in case of confirmed vote, where U, = gi and V, = 
gy ar ‘" The well-formedness proof Py, -{V;} is a 1-out-of-n disjunctive 
proof and can be stated as: 


A -1 a 
Py rlV; £ 8182 U;} = P(r; | Via (U = gD AVi/8y” = 8'))} 


= Piri U =a) A V” a 0/8 = g). 
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6.4.1. Revisiting the 1-out-of-n NIZK proof used in DRE-ip 

Algorithm 1 (resp. Algorithm 2) represents the prover algorithm 
(resp. verifier algorithm) for generation (resp. verification) of the 1- 
out-of-n NIZK proof used in DRE-ip. This 1-out-of-n NIZK proof is 
extended from the 1-out-of-2 NIZK proof given in [4]. Algorithm 1 
(resp. Algorithm 2) is written to prove (resp. verify) a proposition of 
the form vj_,(I" = {7'}*) A 7" = n). 


Algorithm 1: A prover with identifier ID generates a proof of 
knowledge of a secret 4 such that Vi (Q = Daa = EA ¥) 
for known ID,n, T',y', ay, i w where the vote is given to the 
jth candidate, j € {1,2,...,n}. 
Input : ID,n, T", y’, (T), yi) p 4j such that T” = {y'}} and 
an MÀ 
T; =r; } 

Output: I = Pk{4: v} (UI = TADEN H = {7} 
begin 
choose random 
W, Fis Cs Fs Cas eve Ppp jap F jyt jtt Tn Cn E Zg 
calculate t = {7} {0% t = (7 VI, ty = 

Ira ILC en n2 MC = 
eT }2, t22 = {v5 } i, Sa a sas 
(PPD YS tag = A I Pt = ty = 
CF tp = YH, thie = 


J 
OPa T ai = (7 PT, t = YTY 


j+l 

calculate 
i ” m 

c = H(ID,(y',T', Yi > T; Xap Cr tii)» 

calculate 

cj =c — (Cy +e Hee + Cj Heyyy Hee +e) 

calculate r; = w—c;A 


return I = (C1, C25 +++ Cja1> Cj Cj41> eo Cm F1 F2 Fj- tjs 
Fils ln) 
end 


Algorithm 2: Verification of proof II generated by Algorithm 1 

given ID,n,I',y', q) A y yi_,- However, the verifier does not know 

to which candidate (i.e. j) the vote is given. 
Input : ID,n, I", y, y E = (e102, 
Output: success or failure 
begin 

calculate 

ty = {7 T, ti = VEL toy = {r V2 2 tn = 

AE, as 

ta = (PAT t = (p YT” 

calculate 

d = H(I D, Py! T'Y ns toy) 

if c’ =(cy +e) + + +¢,) then 

| return success 


else 
| return failure 


end 


va Cael [sl 25-009 n) 


end 


6.4.2. Revisiting the efficient 1-out-of-n NIZK proof proposed by Lin et al. 

In [23], Lin et al. proposed a 1-out-of-n NIZK proof and claimed 
that it is more efficient than the original NIZK proof. We describe the 
1-out-of-n NIZK proof proposed by Lin et al. [23] almost verbatim. 
We then analyze this NIZK proof and show that it does not satisfy 
the properties of zero-knowledge proof. The 1-out-of-n NIZK proof 
algorithm is described considering our case. 
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1-out-of-n NIZK proof by Lin et al. The prover and the verifier are 
divided into two parts respectively depending on the parity of j (even 
or odd), where the vote is given to the jth candidate. 

The prover chooses a random number w. If j is even, the prover 
chooses random numbers rg,dg,YP € {2,4,...,n}; otherwise, if j is 


odd, the prover chooses random numbers r.d, Yn E {1,3,. n - 1}. 

Thereafter, the prover calculates the vote (U;, V) = (gi! ee gM- t and 

ji tj2) (883). The prover then calculates (t,tp) = Gru, 
TV, gM" }4), where I = 2,4,...,n if j is even or / = 1,3,...,n— 1 


if j is odd. For non-interactiveness, ca = H(r;||U;||V;). Then the prover 
computes Coven = H (ri (UV tn ti2 Yiogeeven) if j is even or Codda = 
HOU tr te Yo eoan) if J is odd. 

Then the prover computes the following parameters based on the 


parity of j. 


ry p d 
If j is even, the prover calculates (tp),tg.) = gi’ U; ie gy 
p-1 y = 
{V,/ay" YP), Coda = Cail = Coyens lj = Ceven - Èpdprj = = w-r;dj. 
rn 7 
If j is odd, the prover calculates (t,t) = (g," U," g” 
Mly d = = i 
{V;/8, yen), Coven = Call — Codd» d; = Codd — Lindy"; ae rd). 


Finally, the verifier sends (Casta dior =2leaven" U;,V;,Coaq) to the 


i Vi» Coven) to the verifier 


i? “even 


verifier if j is even or ({t;, tn, dp ri} 
if j is odd. 

The verifier verifies the correctness of Cepen OF Codd = dy 4)> Cat) = 

Coven + Coada aNd (t,tp) = (gus! set (V/M }41), where 1 = {2,4,...,n} 
or{1,3,...,n— 1}. If the verifier verifies these conditions successfully, it 
returns success; otherwise, it returns failure. 

Analysis of this 1-out-of-n NIZK proof. According to the proto- 
col, the verifier has to compute A(r,||U;,||V;) or H(r;\|U; IVI 
{tii ti2 odeeveny) if j is even or H(r;||U; IKALE ya Hacda) if j is odd 
to verify the conditions: Cepen OF Coda = È idi, Cait = Ceven + Coda: However, 
the verifier cannot compute these hash functions since she does not 
know the secret value r; used in the argument of the hash function. 
Therefore, this 1-out-of-n NIZK proof does not satisfy the completeness 
property of the zero-knowledge proof. 

Moreover, according to the protocol, the verifier has to verify the 
conditions (t;, t) = U Bat (V/M y4), where 1] = {2,4,...,n} 
or{1,3,...,n— 1}. To verify these conditions, the verifier has to know 
whether j is even or odd. It means that the verifier has to know 
whether the voter has given her vote to an even numbered candidate 
or an odd numbered candidate. In other words, if the verifier verifies it 
successfully when / = {2,4,...,n}, the verifier will know that the voter 
has given her vote to an even numbered candidate (since j is even). 
Similarly, if the verifier verifies it successfully when / = {1,3,...,n—1}, 
the verifier will know that the voter has given her vote to an odd 
numbered candidate (since j is odd). Therefore, this 1-out-of-n NIZK 
proof does not satisfy the witness indistinguishability property of the 
zero-knowledge proof. 


l= ideoda U 


6.4.3. Our proposed efficient 1-out-of-n NIZK proof 


We propose an efficient 1-out-of-n NIZK proof. Our proposed 1- 
out-of-n NIZK proof satisfy all the required security properties of the 
zero-knowledge proof. The security proofs of the proposed 1-out-of-n 
NIZK proof are given in Appendix B. We have modified the zero- 
knowledge proof involving the conjunction and disjunction of predi- 
cates to improve its performance. The 1-out-of-n (Algorithms 3 and 
4) proofs presented here are efficient than the proofs presented in 
DRE-ip [4]. Algorithm 3 (resp. Algorithm 4) is written to prove (resp. 
verify) a proposition of the form vi_,(I” = {y' YA q? = (74) 
which is equivalent to (I’ = {y’ j JA Vua = y). As we 
assumed previously, the vote is given to the jth candidate. We assume 
that the simultaneous multiple exponentiation (SME) [80] technique 
is used to optimize the computation of a term of the form g*h’. The 
computation cost of the term g*h” is around 1.2 exponentiation using 
SME technique. The prover algorithm (Algorithm 3) requires (1.2(n—1)+ 
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Algorithm 3: A prover with identifier ID generates a proof of 
knowledge of a secret 4 such that Q” = {y AA Vv A = Y) 
for known ID,n, T',y', ay, n Yop where the vote is given to the 
jth candidate, j € {1,2,...,n}. 


Input : ID,n, T',y', (T), yi) Aj such that I’ = {y'}} and 
a4 = {y fea 
Output: t= caer =y ) AVi (7 = = (E700) 
begin 
choose random 
W, F1, C1, F2, C25... oP jap Cj- j+ j+ MN E = Zi 


calculate w; = w + (r1 +r + +rj trj t: r +(e, + 
Cg tev + Cj + Cj Hee ty )A 
calculate t = {y}, tiz = {y P {TI}, too = 


(VCD, th n= {7 TY 1 ty = 
iv)" tua = (71, yori OF coat =e hr 
calculate 
c = H(ID,y',T', (yl, T'Y to tda 
calculate 
cj =¢ = (ey +e Hee + Cjr + Cjr Hee +) 
calculate r;=w-cjÀ 
return I = Goe n a ee er 
Fiti eon) 
end 


Algorithm 4: Verification of proof IT generated by Algorithm 3 
given ID,n, I",y', q) A y/' yi_,- However, the verifier does not know 
to which candidate (i.e. j) the vote is given. 


Input : ID,n,0"',y', 7, 7/' fpr = (Ci Casca Cas i esn 
Output: success or failure 
begin 

calculate 

ty = {p pitter (rr yerteate ten, ti = (TTY, toy = 

r2 Myc 
(rly? (DIY, a, 
F, 
tro = (ry PD 
calculate 


d’ = HID, YT th tidy) 
if c’ =(cy +e) + + +¢,) then 
| return success 


else 
| return failure 


end 


end 


Table 4 
Computation complexity of the 1-out-of-n NIZK and the proposed 1-out-of-n NIZK proof. 
e represents the exponentiation operation. 


Scheme Prover Verifier 
1-out-of-n NIZK proof (2.4(n — 1) + 2)e 2.4ne 
Proposed 1-out-of-n NIZK proof (1.2(n — 1) + 2)e 1.2(n+ le 


2) exponentiations; however, the prover algorithm (Algorithm 1) pre- 
sented in DRE-ip requires (2.4(n—1)+2) exponentiations. To verify such 
zero-knowledge proof, the verifier algorithm (Algorithm 4) requires 
1.2(n + 1) exponentiations; however, the verification algorithm (Algo- 
rithm 2) presented in DRE-ip requires 2.4n exponentiations. In Table 4, 
we theoretically analyze the cost of execution of the prover and the 
verifier of the original 1-out-of-n NIZK proof and our proposed efficient 
1-out-of-n NIZK proof. Since exponential operations are the most time 
consuming operations, we only include the number of exponentiations 
in theoretical analysis (Table 4). 
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Security assumptions for some DRE-based verifiable e-voting systems. Columns are represented as — A: Reliable Tallying 
authorities, B: Sufficient Voter-initiated auditing, C: Protection against malicious bulletin board, D: Secure setup, E: Secure 
random number generator, F: Secure Deletion, G: Secure Ballot Storage, H: Trust-worthy tallying authorities, I: Secure 
computation (with proof of correctness) of the final tally without revealing the results from each DRE machine when multiple 
DRE machines are used, J: secure voter registration and authentication. +: assumption is required, o: assumption is not required. 


System 


Votegrity 

MarkPledge 

VoteBox 

STAR-Vote 

DRE-i 

vVote 

DRE-ip 

Proposed system using cloud server/IPFS 
Proposed system using blockchain (method 1) 


Proposed system using both cloud/IPFS and blockchain (method 2) o . o . . . o o o o 


These algorithms can be extended to prove any proposition of the 
form AL Qi A (Viw) for a set of assertions {@,@ ,..., Pk WL Y2 -> 
y,,}, where the numbers k and n are known to both the prover and the 
verifier. To generate such zero-knowledge proof, the proposed prover 
algorithm (extended version of Algorithm 3) requires (1.2(n-—1)+k+1) 
exponentiations; however, the prover algorithm (extended version of 
Algorithm 1) presented in DRE-ip requires (1.2(k + 1)\(n — 1) + k + 1) 
exponentiations. To verify such zero-knowledge proof, the proposed 
verifier algorithm (extended version of Algorithm 4) requires 1.2(n +k) 
exponentiations; however, the verification algorithm (extended version 
of Algorithm 2) presented in DRE-ip requires 1.2n(k+1) exponentiations. 
Therefore, the proposed NIZK proofs are almost (k + 1) times more 
efficient than the NIZK proofs presented in [4]. 


6.5. Comparison 


In this section, we discuss how our proposed system compares with 
other DRE-based verifiable e-voting systems. In particular, we compare 
with Chaum’s Votegrity [1], Neffs MarkPledge [24], VoteBox [72], 
Star-Vote [26], DRE-i [3], vVote [32], and DRE-ip [4]. All of these 
systems consider voter registration and voter authentication outside of 
their scope and assume that they are performed securely and correctly. 
Our scheme comprises a secure and verifiable voter registration and 
authentication mechanism. All of the above mentioned systems rely on 
a secure bulletin board. In our proposed system, if the BB is insecure, 
it will be detected by the public or individual voters during the voting 
phase or tallying phase. The ballots can be stored using in any of 
these methods: cloud server, IPFS, blockchain (method 1), both cloud 
server/IPFS and blockchain (method 2). A comparison of these systems 
in terms of their underlying security assumptions is given in Table 5 
(also see DRE-ip [4] for security assumptions of these systems). 

We now discuss the computational complexity of different DRE- 
based e-voting systems and compare it with our proposed system. 
We do not consider Votegrity, MarkPledge, and vVote since they use 
mixnets and the computational complexity depends on the implemen- 
tation of those mixnets. Let us compute all calculations based on a 
two-candidate election, encryption based on ElGamal cryptosystem and 
one tallying authority (TA) if present. If the number of TAs increases, 
the complexity of tally calculations and verification of all the sys- 
tems requiring tallying authorities also increases. We assume that the 
TA, if present, provides proof of correctness as required by the end- 
to-end verifiability. We also assume that the simultaneous multiple 
exponentiation (SME) [80] technique is used for optimization. Using 
this technique, the computation cost of the term g*h” is equivalent to 
around 1.2 exponentiations. The voter authentication process and the 
voting phase can be performed in pipeline. Table 6 summarizes the 
computational complexity of different systems (also see DRE-ip [4] for 
performance comparison of these systems). 

The ElGamal encryption for a ballot takes around 2 exponentiations. 
The zero-knowledge proof Py; {V;} takes 3.2 exponentiations to gen- 
erate and 3.6 exponentiations to verify using the proposed efficient 
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Table 6 
Computation complexity of some DRE-based verifiable e-voting systems assuming two- 
candidate election. Columns are represented as — A: Ballot calculation, B: Ballot 


well-formedness and consistency verification, C: Tally calculation, D: Tally verification. 
B, A, C represent all, audited and confirmed ballots respectively. e: exponentiation and 
m: multiplication. 


System A B Cc D 

VoteBox 6.4|Ble (6.8|A] + 4.8/C)e |C|m + 3e |C\|m+2.4e 
STAR-Vote 6.4|Ble (6.8|A| + 4.8/C))e |C|m + 3e |C]m + 2.4e 
DRE-i 10.8|B]e (9.6|A| + 4.8/C])e |B|m + le 
DRE-ip 6.4|Ble (6.8|A| + 4.8|C)e 2|C|m + 2e 
Proposed system 5.2|Ble (5.6|A| + 3.6|C])e 8e (2|C| + 1)m + 4.8e 


NIZK proof Algorithm 3 (for generation) and Algorithm 4 (for verifi- 
cation) described in Section 6.4. Therefore, a ballot creation requires 
5.2 exponentiations for both audited and confirmed ballot. Since our 
system comprises a secure and verifiable voter authentication mecha- 
nism, this introduces some additional computations in our system. The 
computation of g’°**” requires one exponentiation. The zero-knowledge 
proof Px {token} takes 1 exponentiation to generate and 1.2 exponenti- 
ations to verify using the NIZK proof Algorithm 5 (for generation) and 
Algorithm 6 (for verification) described in Appendix A. Therefore, a 
ballot creation requires about 7.2 exponentiations for both audited and 
confirmed ballot. The ballot well-formedness and consistency verifica- 
tion take about 6.8 exponentiations and 4.8 exponentiations for audited 
ballot and confirmed ballot respectively. The tally calculation and tally 
verification require about 8 exponentiations and (2|C| + 1)m + 4.8e 
computations respectively, where ‘m’ and ‘e’ denote the multiplication 
and exponentiation respectively. 

However, in case of n(n > 2) candidates, the zero-knowledge 
proof Py -{V;} takes (1.2(n — 1) + 2) (= (1.2n + .8)) exponentiations to 
generate and 1.2(n + 1) exponentiations to verify using the proposed 
efficient NIZK proof Algorithm 3 (for generation) and Algorithm 4 
(for verification) given in Section 6.4. Therefore, in this case, ballot 
calculation requires (1.2n+4.8) exponentiations for both an audited and 
confirmed ballot including the computations introduced due to voter 
authentication. Table 7 summarizes the computational complexity of 
DRE-ip (without voter authentication) and our proposed system (with 
voter authentication) in case of n candidates. 

When multiple DRE machines are deployed for casting votes in an 
electoral constituency (from where a candidate is to be elected), during 
the tallying phase, our proposed voting scheme additionally performs 
two secure multi-party computations. Let us analyze the performance of 
our proposed secure multi-party computation protocol when the num- 
ber of DRE machines deployed in an electoral constituency is d. There 
are only two rounds in our proposed secure multi-party computation. 
As discussed in [73], minimum two rounds are required to compute 
a function securely in any secure multi-party computation protocol. 
In the first round, each DRE machine sends (d — 1) random numbers 
(using symmetric key encryption over an authenticated channel) to the 
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Table 7 

Computation complexity of DRE-ip (without voter authentication) and our proposed e-voting systems (with voter authenti- 
cation) while supporting voting for 1 out of n candidates (n > 3). Columns are represented as — A: Ballot calculation, B: 
Well-formedness and consistency verification, C: Tally calculation, D: Tally verification. B,A,C represent all, audited and 


confirmed ballots respectively. e: exponentiation and m: multiplication. 


System (multiple candidates) A B C D 
DRE-ip (2.4n + 1.6)|Ble ((2.4n + 2)|A| + 2.4n|C)e 2|C|m + 2e 
Proposed system (1.2n + 4.8)|Ble ((.2n+4.4)|A] + 1.2(n + 2)/CPe 8e (2|C| + Dm + 4-8e 


Table 8 


Computation and communication cost (space) of the proposed secure multi-party computation when the number of DRE 


machine is d. a is the size of each element of the group Z,. 


First round 


Second round 


Computation cost 
on numbers in Z, 


Communication cost (space) ((d — 1) xa) for each DRE 


Each DRE performs 2d addition operations 


The (d + 1)th party performs d addition 
operations on numbers in Z, 
a for each DRE 


remaining (d — 1) DRE machines and performs 2d addition operations 
on numbers in Z, (to compute tig = (ti — ti — tig =~ — tig—1) and 
T; = tii +t +t + +tg;,i € {1,2,...,d}). In the second round, the ith 
DRE sends T, to the (d + 1)th party, and then (d + 1)th party performs 
d addition operations on numbers in Z, (to compute T = T, + T, + 
T; + =- + T4). Therefore, the total number of rounds of the proposed 
secure multi-party computation is 2. The total computational time for 
each DRE machine is 2d addition operations on numbers in Zy where d 
is the number of DRE machines deployed in the electoral constituency 
(from where a candidate is to be elected such as a district, not the whole 
country). The total space required (communication complexity) is (dxa) 
bits (for sending d random numbers in Za) for each DRE machine, 
where a is the size of each element of Z, in bit. Table 8 highlights the 
computation and communication cost (space) for the proposed secure 
multi-party computation when the number of DRE machine is d. 


6.6. Performance analysis 


6.6.1. Experiment on ethereum (only for method 1) 

We deployed our implementation on Ethereum’s private network 
that mimics the production network. We tested our implementation for 
different number of candidates contesting the election. Two different 
experiments were performed based on how we use the blockchain. 

First, we use blockchain only as a ballot box. The blockchain stores 
the ballots after verifying its signature without verifying any NIZK 
proofs. Note that verification of the NIZK proofs by the blockchain is 
optional (i.e. not necessary) since it can be verified by the public using 
a separate module. We have carried out experiments with 2, 3, 4, 5, 
6 and 7 candidates and plotted the results to show how the costs for 
casting a ballot vary with different number of candidates. Fig. 7(a) 
(resp. Fig. 7(b)) highlights the average gas consumption cost (resp. 
cost in US dollar) for casting a ballot based on different number of 
candidates. In this experiment, we have calculated the cost in US dollar 
(denoted by ‘$’ in Fig. 7(b)) and rounded it to three decimal places. 

Secondly, we have used blockchain as a ballot box as well as 
to verify the 1-out-of-n NIZK proof corresponding to the ballot well- 
formedness proof. The blockchain stores the ballots after verifying its 
signature as well as the 1-out-of-n NIZK proof. We have performed 
experiments with 2, 3, 4, 5, 6, 7, 8 and 9 candidates using our proposed 
efficient 1-out-of-n NIZK ballot well-formedness proof (Algorithms 3 
and 4) and plotted the results to show how the costs for casting a 
ballot vary with different number of candidates. We have also tested 
with 2, 3, 4, 5 candidates using the original 1-out-of-n NIZK ballot 
well-formedness proof (Algorithms 1 and 2) and plotted the results 
to compare the performance. Fig. 8(a) depicts the average gas con- 
sumption cost for casting a ballot based on the number of candidates 
competing in the election, while using the original 1-out-of-n NIZK 
ballot well-formedness proof and our proposed efficient 1-out-of-n NIZK 
ballot well-formedness proof. Casting a ballot involves verifying the 1- 
out-of-n NIZK ballot well-formedness proof, verifying the signature and 
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storing the ballot into the blockchain. From this figure, we see that the 
proposed 1-out-of-n NIZK proof is about twice more efficient than the 
original 1-out-of-n NIZK proof used in [4]. The maximum gas capacity 
that an Ethereum block can consume is about 8 million as in July, 
2020. From the figure, we see that each transaction for casting a ballot 
reaches the computation and storage limit for about 9 candidates while 
using our proposed efficient 1-out-of-n NIZK proof; whereas, it reaches 
the maximum gas limit for about 5 candidates while using the original 
1-out-of-n NIZK proof. Fig. 8(b) shows the costs for casting a ballot 
based on the number of candidates competing in the election and while 
using the original 1-out-of-n NIZK ballot well-formedness proof and our 
proposed efficient 1-out-of-n NIZK ballot well-formedness proof. In this 
experiment, we have calculated the costs in US dollar (denoted by ‘$’ 
in Fig. 8(b)) and rounded it to two decimal places. 


6.6.2. Timing analysis (in case of using cloud server, using IPFS, method 1 
and method 2) 

We implemented the proposed 1-out-of-n NIZK ballot well- 
formedness proof which is the most time consuming part for gener- 
ation and verification of a ballot. Fig. 9 depicts the timing analysis 
measurements for generation of 1-out-of-n NIZK ballot well-formedness 
proof using our proposed NIZK proof (Algorithm 3) as well as using the 
original NIZK proof (Algorithm 1), where n is the number of candidates 
contesting the election. Fig. 10 shows the timing measurement analysis 
for verification of 1-out-of-n NIZK ballot well-formedness proof using 
the proposed NIZK proof (Algorithm 4) as well as using the original 
NIZK proof (Algorithm 2). All tests were performed on a HP Laptop 
running Windows 8.1 equipped with 2 cores, 1.8 GHz Intel Core i3 and 
4 GB RAM. All time measurements are rounded up to the next whole 
millisecond. We implemented the protocol over an elliptic curve. The 
time to create and verify a ballot depends on the number of candidates 
competing in the election. However, it is independent of the number of 
voters. 

To see how the time for generation and verification of the 1-out- 
of-n NIZK proof using the proposed NIZK proof vary with different 
number of candidates, we have carried out experiments with 2, 4, 6, 
..., 24 candidates. Fig. 9 (resp. Fig. 10) highlights that the computation 
time to create (resp. verify) the 1-out-of-n NIZK ballot well-formedness 
proof using the proposed algorithm is almost reduced to half of the 
time required to create (resp. verify) that using the original NIZK proof 
algorithm given in [4]. 

We have also conducted experiments to see how the computation 
time for verification of the tally vary with different number of voters 
and different number of candidates contesting the election. We have 
performed experiments with 50, 100, 200, 400, 600, 800 and 1000 
voters and with 2, 3, 4, 5 and 6 candidates and plotted the results. 
Fig. 11 represents the computation time (in millisecond) for verification 
of the tally with respect to the number of candidates and the number of 
voters. The verification time during the tallying phase involves the time 
to verify the 1-out-of-n NIZK proof, hashchain and the tally verification 
equation (2). 
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Fig. 8. (a) Gas cost for casting a ballot based on the number of candidates contesting the election while using the original 1-out-of-n NIZK proof and our proposed 1-out-of-n 
NIZK proof. (b) Costs for casting a ballot based on the number of candidates contesting the election while using the original 1-out-of-n NIZK proof and our proposed 1-out-of-n 
NIZK proof. The costs are approximated in USD ($) using the conversion rate of 1 Ether = $243 and the gas price of 0.000000001 ether that are real world costs in July, 2020. 
Here, for both (a) and (b), casting a ballot involves storing the ballot after verification of the 1-out-of-n NIZK proof by the blockchain. 
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Fig. 9. Computation time to create the 1-out-of-n NIZK proof using the proposed 
algorithm and the original NIZK algorithm. 
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Fig. 10. Computation time for verification of the 1-out-of-n NIZK proof using the 
proposed algorithm and the original NIZK algorithm. 
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Fig. 11. Computation time for verification of the tally based on the number of voters 
participating in the election and the number of candidates contesting the election. 


7. Conclusion 


In this article, we have proposed a secure and verifiable voter 
registration and authentication mechanism. Thereafter, we have pro- 
posed an end-to-end verifiable DRE-based voting system that preserves 
voter’s privacy and integrity of ballots without any tallying authority or 
secure hardware storage even if the adversary gets temporary access to 
the DRE machine. The system prevents the well-known ballot stuffing 
attack and a weakness of the DRE-ip system. Depending on how the 
election is arranged, we have proposed two methods to store the 
ballots using blockchain and cloud/IPFS server. We have presented 
security proofs to prove the security properties of the protocol. We have 
proposed an efficient 1-out-of-n NIZK proof. Both the theoretic analysis 
and the experimental results show that the scheme is feasible to be 
used in practice. One of the challenging tasks in our proposed scheme 
is to reduce the False Rejection Rate of the Fuzzy Vault algorithm for 
fingerprint. As previously mentioned, another challenging task is the 
management of the key used by the Mixnet server. In future work, 
we plan to design biometric encryption algorithm with improved False 
Rejection Rate as well as to design DRE-based voting solution without 
tallying authorities for more complex voting systems such as single 
transferable vote (STV) [31] and Condorcet. 
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Appendix A 


Algorithm 5: A prover with identifier I D generates a NIZK proof 
of knowledge of a secret x such that (T” = g*) for known ID, I’, g 
and the encrypted vote (U;, V;). 
Input : ID,T',g,x,U;, V, such that (I’ = g*) 
Output: 7 = Pg{x: (T' = g*)} 
begin 
choose random w € Z, 
calculate 
tage 
calculate 
c= H(D,U,,V;,g,0',t)) 
calculate r = w 
return 7 = (c,r) 
end 


— cx 


Algorithm 6: Verification of proof n generated by Algorithm 5 given 
ID,T',g and the encrypted vote (U;, V;). 
Input : 1D,I',g,U,,V,,n =(c,r) 
Output: success or failure 
begin 
calculate 
t= gt r" 
calculate 
cı = H(I D,U;, V, g, T',t,) 
if ¢ = c then 
| return success 
else 
| return failure 
end 


end 


Algorithm 7: A prover with identifier ID generates a NIZK proof __ 
of knowledge of a secret x such that (I, = gf) A (I) = g3)) for 
known ID, T}, 81, I), 8. 
Input : ID, T, g, T>, g,x such that (I, = g*) A (D, = 83)) 
Output: 7 = Px{x: (IZ) = 87) A U2 = 85))} 


begin 
choose random w € Z, 
calculate 
ti = 8) to = 87- 
calculate 


c= H(I D, g, T1, 82, Ih, t1, t2) 
calculate r = w 
return 7 = (c,r) 


— cx 


end 


21 


Journal of Information Security and Applications 59 (2021) 102815 


Algorithm 8: Verification of proof y generated by Algorithm 7 
given ID, T}, 81, I2, 82- 
Input : ID,T,, 81, T2, 82, =(c,r) 
Output: success or failure 
begin 
calculate 
ti =8 Th = 8g) 
calculate 
cı = H(I D, 84, T1, 8&2, I2, t1, t2) 
if cç) = c then 
| return success 
else 
| return failure 
end 


end 


In this section, we present the NIZK proof algorithms that are 
required in Section 6.1.1. Algorithm 5 (resp. Algorithm 6) represents 
the prover algorithm (resp. verifier algorithm) for generation (resp. 
verification) of the NIZK proof Pg{token : T' = gi") required in 
the voting and tallying phase in Section 6.1.1 for an encrypted vote 
(U;, V;). Algorithm 7 (resp. Algorithm 8) represents the prover algorithm 
(resp. verifier algorithm) for generation (resp. verification) of the NIZK 
proof Pr{s Ai = DAN = g5)} and Px{s.prev_hash : (13 = 
gy” rev-hashy A (p, = gS Prev-hashy) required in the voting and tallying phase 


2 
in Section 6.1.1. 


Algorithm 9: A prover with identifier ID generates a proof of 
knowledge of a secret 4 such that Q” = {y/}4) A (QY = {vi }4) v 
(Dy! = tr })). 

Input : ID, T', y, TYY 

N fy 
Ty = {yr} 

Output: I = Px {A: UI’ = 

begin 
choose random w, r3, c € Zy 
calculate w; = w +r, +cÀ 
calculate 


A such that T’ = {y'} and 


YACHT = OVEL =) 


ti = {7 "t = 1} ta = (QP? 


calculate 
c = HID, y', T", 0), T p ti t2), 


(B.1) 


cy =c- (B.2) 
calculate 
rp =w-cA 


(B.3) 


return y = (c1, C2,f1, r2) 
end 


Appendix B 


Security properties of zero-knowledge proof of prover Algorithm 3 
and the verifier Algorithm 4. 

We have proved the security properties of the proposed efficient 
NIZK proof for two candidates i.e. for 1-out-of -2 NIZK proof. The 
security proofs can be easily extended for n candidates i.e. for 1-out-of- 
n NIZK proof. Algorithm 9 (resp. Algorithm 10) is presented to prove 
(rep. verify) a proposition of the form ø’ A(¢, V p2) for three assertions 
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Algorithm 10: Verification of proof IT generated by Algorithm 9 
given ID, T',y', q r y ye i The discrete logarithmic relationships 
for the pairs (y’,y;’) and (y', y3’) are unknown. 


Input : ID, T',y', T}, y_i = (c1, c2, r1, r2) 
Output: successful or failure 
begin 
calculate 
ti = {y yt tr! jata, tio = (yy (ry yei and 
t = fy VT 
calculate 
d = HUD, 5.0 T Y heey) 
if c’ =c, +c, then 
| return successful 
else 
| return failure 
end 


end 


gv’, pı and @, where the prover knows discrete logarithms for the pair 
(g', 9). Here g', p, and gy are assertions I” = {y}, TY = {7} 
and (T; = {y} }*) respectively. In order for prover P and verifier V 
to achieve the security properties, we must restrict the computational 
power of V or any attacker so that it is bounded by a polynomial in 
the size of common input. Clearly, without this restriction we need 
not talk about zero-knowledge since V of an unbounded computational 
power can find P’s private input hidden behind common input. The 
discrete logarithm for the pairs (y’, y’) and (y’, y’) are unknown. Note 
that this assumption is also made in [4] for construction of 1-out-of-n 
NIZK. Otherwise, an attacker can find out the set corresponding to the 
witness i.e. the witness indistinguishability property will be lost. 

Completeness: 

By direct observation of the protocol, it is straightforward to see that 
the completeness property is preserved. This means that, if the prover 
generates (c4, €23, F1, r2) and follows the protocol instruction, the honest 
verifier will always accept it. 

Soundness: 

We need to find soundness error probability. 

Let us assume that for the same commitment (t4, t12, t22) with fixed 
ř2,C2, W, two different response viz. (c1, c2,r1, r2) and (leir 15) are 
generated, where c 1 Æ Ch Now we can compute a witness for / 
i.e. 4 = (r - rie} — cı). Therefore, the prover P knows the witness 4. 
Similarly, let us assume that for the same commitment (t4, t12, t22) with 
fixed r,,c,,w, two different response viz. (c4, c3, r1, f2) and (cl, él; rots) 
are generated, where c) # 6: Now we can compute a witness for A 
i.e. A = (r - re — Cy). Therefore, in this case also, the prover P 
knows the witness 4. 

Suppose a prover, P*, is a cheater, i.e., she does not know the 
correct discrete logarithm value for any of the pair (g’, g1) or (9, p2). 

For a commitment (t4, t12, t32) she chooses in Eq. (B.1), the verifier 
is waiting for a response (c4, cy, r1, r2) such that 
ci +c, = HUD, PEG TI: {y pit {ryte 

(TI, (9 2), 
Since the prover, P*, does not know the correct discrete logarithm, the 
best known strategy to compute such response is to guess (r,r) and 


(B.1) 


any one of cı or c first as follows: 

1. picking random r; Eg Z} and r, Eg Z} uniformly; 

2. picking either of c, or c, uniformly from the image space of the 
hash function H i.e. picking c, Eg Image(H) (assuming H has the same 
large output space as Z,) 

3. computing 
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c, = HUD, ae ee ba ae {yp parr ate, Cyl LY, (yg! Fe 
(7?) - c. (r o = HAD, y', PG T G (y VOD Oe, 
(1 PUTTY, fg} (1) — ci, if he picks c} Eg Image(H) in step 
2). 

This is a well-known computationally hard problem to find such 
ac, since H is a random oracle and g* is a one-way function. Now 
since she does not know the discrete logarithm corresponding to any 
of the pair (y’,g,) or (v’,@,) and H is a random oracle and g* is a 
one-way function, the soundness error probability is (1/2”), where n is 
the security parameter log(q). 

Zero-knowledgeness: 

We will show that although the algorithm is not a full zero- 
knowledge, the algorithm does not reveal any information about P’s 
private input 4. Note that the Schnorr signature scheme (NIZK) and 
the 1-out-of-n zero-knowledge proof described in [4] are also not a full 
zero-knowledge but they does not reveal any information about P’s 
private input. 

For a response (c4, c2, r1, r2) to be valid and accepted by the verifier 
V, they must satisfy the equation 


cı = HUD, DOLT ae gy patrate, 
(YEPE, (YAT) — c. 


Viewed by a third party, Eq. (B.2) means either of the following two 


cases: 


(B.2) 


1. the equation is constructed by P using her private input, hence 
P discloses that she has been in interaction with verifier V, or 


2. an attacker or a verifier has successfully broken the random 
oracle hash function H of large output space Z, and another one-way 
function g*, because she has constructed Eq. (B.2). 


This is a well-known hard problem since H is a random oracle and 
g* is a one-way function. 


Since an attacker or verifier is polynomially bounded, the third 
party will of course believe that (1) is the case. The response (c,, cy, 
r1,12) is precisely a signature under Schnorr’s signature scheme. Since 
only P could have issued such signature, the third party has made 
correct judgment. 


A simulator cannot generate such response (c4, c2,f1,rř2) without 
knowing the discrete logarithm corresponding to any of the pair (9, 1) 
or (9', p2). 

Therefore, it is not a full zero-knowledge. However, we will show 
that the proof transcript (c4, c2,r1,r2) does not reveal any information 
about P’s private input (discrete logarithm). 


Let us consider Eq. (B.3) calculated by prover P i.e. r} = w — cA. 
Here w is chosen uniformly from Z, independent from all previous 
instances and 4 is P’s private input. After receiving a valid response 
(c1; ,1,1), ¢, and r, are known to the verifier V and any attacker. 

Note that c, and r, are chosen uniformly from Z, independent 
from all previous instances. Let C, and R, denote random variables 
corresponding to cy and r, respectively. 

c being the output of the hash function H is also uniformly dis- 
tributed over the image space of H. Let us assume that the image space 
of H is Z,. Let C denote the random variable corresponding to c. 

We assume that there is a probability distribution for 4 which 
determines a random variable 4. Let W denote the random variable 
corresponding to w. The three random variables viz. C,, W and 4 
determine a random variable R over Z, representing rı, where r; = 
w-— cÀ. 
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Let f, tj) and tj, denote the random variables representing t) = 
{7}, th = {77} and ty = {y} {T3} respectively, where w; = 
w +r + CA. 

Now, since r, and c, are chosen uniformly and independently from 
Z the random variables C, and t;, are also independent. 

Also since ry, c, and w are chosen uniformly and independently from 
Z,, the random variables C, and f; are also independent. 

Hence the random variables Ĉ and Č are also independent, 
where the random variable Č represents c = H(ID,y', T", CA G 
Tiat Da) 

Consider Eq. B.2 i.e. ¢} = c — cy. Here c, is uniformly distributed 
and independent of c. Therefore, the random variable C, is also uni- 
formly distributed and independent of C. This follows from following 
well-known result from probability theory. 

Two random variables X, and X, are such that (X,, X,) E€ G x G, 
where (G, +) is a group. Given that (1) X} and X, are independent and 
(2) X, is uniform over G. Let X; = X, + X,, then (1) X, and X; are 
independent and (2) X, has uniform distribution over G. 

Since C, is independent of C, C, is also independent of W and 1. 

Therefore, three random variables W, C, and ī are uniformly 
distributed over Z, and independent of each other. Let n denote the 
security parameter log(4). Now, Pr[R = r] = 2 we, ZcyeZz4 PrIW = 
w]Pr[Ĉ, = q]Pr[ï = (w -= r)a] = 1/2") Xwez, Ze,ez, PIC = 
qlPr[Ã = (w - r)a ™!] = 0/2"? Zwez, Zea ez, Prl = 
= 0/2"? Z wez ! = (1/2"}.(2") = (1/2"). 

Pri = nj = Al = Z ez, PrI, = q]Pr[Ŵ = ri + càl = 


c 


0/22. ez, PrlW = r; + eA] = (1/2). 


(w — rja] 


Therefore, Pr[A = A|Ř = r1] = (Pr[A = A]Pr[Ř = 1, |A = Al/Pr[R = 
ry) = Pr = 41.0 /2)/0/2") 
= Pr[ï = 4]. (B.3) 


Therefore, the r, does not reveal any information about P’s private 
input 4. rı forms a one-time pad (shift cipher) encryption of P’s private 
input 4, which provides information-theoretic quality of security i.e. it 
has prefect secrecy. 

Although we have used the same 4 for constructing t = {y’}“!, 
where w; = w +r, +c A. Due to hardness of the discrete logarithm 
problem, an attacker or a verifier cannot find w, from {y’}”!. Also, the 
logarithmic relationship for the pairs (y', y’), (', y3) are unknown. t; 
does not reveal any more information about P’s private input 4 than 
that has already been revealed by their common input T” = {y’}*. 

Therefore, the algorithm does not reveal any more information 
about P’s private input 4 than that has been revealed by their common 
inputs T”, Ty, and vy. 

Witness Indistinguishability: 

We have to show that the distribution of the conversation is inde- 
pendent of the qualified set A corresponding to P’s private input 4. 
Since the prover generates a proof of knowledge of a secret J such 
that Q” = {7} ACI! = (> v Œ! = {y}, a verifier and an 
attacker already know that the assertion (I = {y’}*) is in the qualified 
set A. Our aim is to prevent an attacker or a verifier from knowing that 
which one among (I7’ = (34) and (T; = {73}4) corresponds to the 
P’s private input 4. Let g’ = (I’ = {y'}4) and g, = qy = o, where 
[= 1;2: 

We use the same notation and random variables described in the 
previous section. 

Since, w, c and r, are chosen uniformly and independently from Z, 
(i.e. t41E€RG; and t),€RG,), fi» tj, are independent from the qualified 
assertion g,. Since the logarithmic relationships for the pairs (y’ E ) 
and (y',y}') are unknown to attacker, fi, ti2, ty) are also independent 
from the qualified assertion 4. 
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Therefore, Č is also independent from the qualified assertion ¢,. 

Since c, is chosen uniformly and independently from Z,, then the 
distribution of (c4, c2) is also independent of the qualified assertion 9. 

Since cı is uniformly distributed and independent from w, from 
Eq. (B.3) we can conclude that R is independent from W and hence 
R is independent of the assertion 9,. 

Therefore, the conversation (c4, c2, r1, r2) is independent of the qual- 
ified assertion gy, and hence the algorithm is witness indistingui- 
shable. O 
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